Synology Products Threatened by Severe OpenSSL Vulnerability
The Taiwanese company Synology has announced that its products are at risk because of a recently discovered vulnerability in OpenSSL related to remote code execution (RCE) and denial of service (DoS).The list of devices susceptible to CVE-2021-3711 and CVE-2021-3712 issues includes DSM 7.0, DSM 6.2, DSM UC, SkyNAS, VS960HD, SRM 1.2, VPN Plus Server, and VPN Server.
The first error is related to a heap buffer overflow in the SM2 cryptographic algorithm, which usually leads to crashes, but can also be exploited by attackers to execute arbitrary code. The second issue relates to a read buffer overflow when processing ASN.1 strings, which can be exploited for DoS attacks or gaining access to memory contents such as private keys or other sensitive information.
Although the OpenSSL development team fixed these bugs on August 24, Synology says that the patches for the affected products are not ready yet, and does not give an exact timeline for their release.
It is also worth mentioning that the NAS manufacturer is working on patches for several other vulnerabilities related to the operation of DiskStation Manager (DSM).
These issues have not yet been assigned CVE IDs, but are known to affect DSM 7.0, DSM 6.2, DSM UC, SkyNAS, and VS960HD.
These issues allow remote authenticated attackers to execute arbitrary commands, and remote attackers can write arbitrary files through the vulnerable version of DiskStation Manager (DSM).
Let me remind you that we wrote that Zerologon Problem Threatens Certain Qnap NAS.