Vulnerability in Synology DSM allows execution of arbitrary commands (updated)

by Hilbert Hagedoorn on: 03/04/2022 04:42 PM | source: heise.de | 2 comment(s)

On Synology NAS devices, attackers might execute unauthorized instructions. The manufacturer is currently working on and rolling out updates to address the issues.

Synology has addressed a security flaw in its Disk Station Manager NAS operating system (DSM). The flaw allows authorized attackers to remotely execute any commands on the affected NAS. Because the issue exists in both DSM 6.2 and 7.0, this should apply to all current Synology NAS systems reports Germany based heise.

The fault is classified as "critical" by the manufacturer. He has not yet offered any details on the chasm. [Revised] The attacker's login location is not provided by Synology. Based on the classification, a login to network shares is apparently sufficient. The DSM 6.2 operating system is delivered in versions 6.2.4-25556-5 and later. According to the security report, Synology is presently working on the DSM 7.0 upgrade, which should be ready soon. The available update should be shown on DSM-enabled NAS devices. Administrators should put it into action right away.

Update:

Synology has published a patch for DSM 7.0-based NAS devices. Anyone who owns one of these devices should upgrade to version 7.0.1-42218-3 or higher. If you are unable to download it through the NAS, the patch for your device can be found here.

Synology:

A vulnerability allows remote authenticated users to execute arbitrary commands via a susceptible version of DiskStation Manager (DSM).

Affected Products

Product	Severity	Fixed Release Availability
DSM 7.0	Important	Ongoing
DSM 6.2	Important	Upgrade to 6.2.4-25556-5 or above.

Mitigation

None

Detail

Reserved

Revision

Revision	Date	Description
1	2022-02-22	Initial public release.

Related Stories

Intel patches Three severe Intel vulnerabilities for its Wi-Fi and Bluetooth hips - 02/10/2022 10:24 AM
Multiple vulnerabilities in Intel's Wi-Fi adapters as well as a Bluetooth issue are addressed by the company's latest updates. Three of the Wi-Fi issues are rated as "high severity," and...

Microsoft patched 70 vulnerabilities and one zero-day vulnerability in Windows with Patch Tuesday - 02/10/2022 10:12 AM
Microsoft releases its second Patch Tuesday update for Windows 11. A Zero-day vulnerability have been addressed, and 48 vulnerabilities, excluding 22 Edge-related issues, have been closed....

There are 16 new BIOS Firmware Vulnerabilities listed by Intel. - 02/09/2022 10:18 AM
Intel issued a security bulletin addressing sixteen newly discovered BIOS vulnerabilities that allow attackers to bypass the operating system and its associated security measures. These flaws affect I...

QNAP NAS systems vulnerable to new ransomware - 01/26/2022 07:28 PM
A new ransomware variant is spreading, and it encrypts QNAP NAS servers in return for a payment in bitcoin to decrypt them. According to the offenders, the ransomware makes use of a zero-day vulnerabi...

More than 50 vulnerabilities have been found in AMD EPYC processor and Radeon graphics drivers. - 11/15/2021 07:19 PM
AMD recently issued security warnings to alert customers about security vulnerabilities in its EPYC CPU and Radeon graphics driver running on Windows 10 computers. Despite the fact that the vast major...

anticupidon

Posts: 6749
Joined: 2008-03-06

#5995423 Posted on: 02/23/2022 12:48 AM

Updated the IP blocking list, no open ports to the internet, no remote connection on the NAS and some pFsense restrictions on the LAN.
Active Insights disabled and keep eyes peeled for updates.

heffeque
Senior Member

Posts: 4194
Joined: 2003-03-03

#5999191 Posted on: 03/09/2022 01:26 AM

It's fixed for 7.0 too.

Post New Comment

Click here to post a comment for this news story on the message forum.