Synology Products Threatened by Severe OpenSSL Vulnerability

The Taiwanese company Synology has announced that its products are at risk because of a recently discovered vulnerability in OpenSSL related to remote code execution (RCE) and denial of service (DoS).

The list of devices susceptible to CVE-2021-3711 and CVE-2021-3712 issues includes DSM 7.0, DSM 6.2, DSM UC, SkyNAS, VS960HD, SRM 1.2, VPN Plus Server, and VPN Server.

“Several vulnerabilities allow remote attackers to conduct denial of service attacks or execute arbitrary code through the vulnerable version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server”.the company said

The first error is related to a heap buffer overflow in the SM2 cryptographic algorithm, which usually leads to crashes, but can also be exploited by attackers to execute arbitrary code. The second issue relates to a read buffer overflow when processing ASN.1 strings, which can be exploited for DoS attacks or gaining access to memory contents such as private keys or other sensitive information.

Although the OpenSSL development team fixed these bugs on August 24, Synology says that the patches for the affected products are not ready yet, and does not give an exact timeline for their release.

It is also worth mentioning that the NAS manufacturer is working on patches for several other vulnerabilities related to the operation of DiskStation Manager (DSM).

“Our teams are still actively investigating this potential vulnerability and CVEs will be assigned when more information can be disclosed”.the company told BleepingComputer

These issues have not yet been assigned CVE IDs, but are known to affect DSM 7.0, DSM 6.2, DSM UC, SkyNAS, and VS960HD.

These issues allow remote authenticated attackers to execute arbitrary commands, and remote attackers can write arbitrary files through the vulnerable version of DiskStation Manager (DSM).

Synology also added that cybercriminals have not yet exploited the vulnerabilities disclosed in a message posted last week.

Let me remind you that we wrote that Zerologon Problem Threatens Certain Qnap NAS.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button