On Synology NAS devices, attackers might execute unauthorized instructions. The manufacturer is currently working on and rolling out updates to address the issues.

Synology has addressed a security flaw in its Disk Station Manager NAS operating system (DSM). The flaw allows authorized attackers to remotely execute any commands on the affected NAS. Because the issue exists in both DSM 6.2 and 7.0, this should apply to all current Synology NAS systems reports Germany based heise.

The fault is classified as "critical" by the manufacturer. He has not yet offered any details on the chasm. [Revised] The attacker's login location is not provided by Synology. Based on the classification, a login to network shares is apparently sufficient. The DSM 6.2 operating system is delivered in versions 6.2.4-25556-5 and later. According to the security report, Synology is presently working on the DSM 7.0 upgrade, which should be ready soon. The available update should be shown on DSM-enabled NAS devices. Administrators should put it into action right away.

Update:

Synology has published a patch for DSM 7.0-based NAS devices. Anyone who owns one of these devices should upgrade to version 7.0.1-42218-3 or higher. If you are unable to download it through the NAS, the patch for your device can be found here.

Synology:

A vulnerability allows remote authenticated users to execute arbitrary commands via a susceptible version of DiskStation Manager (DSM).

Affected Products

Mitigation

None

Detail

Reserved

Revision

Vulnerability in Synology DSM allows execution of arbitrary commands (updated)