[German]There is a critical vulnerability in the Netatalk (Apple AFP) system software used by Synology NAS devices. Attackers could remotely execute malicious code on the device. A security update is available for affected devices. And Synology has issued two warnings about additional vulnerabilities in Synology software.
Advertising
The Netatalk Vulnerability
Synology released this security warning (Synology_SA_18_62) about a vulnerability in Netatalk software. The vulnerability allows remote attackers to execute arbitrary code through a vulnerable version of Synology Diskstation Manager (DSM) and Synology Router Manager (SRM). The following Synology products are affected.
| Product | Severity | Fixed Release Availability |
|---|---|---|
| DSM 6.2 | Critical | Upgrade to 6.2.1-23824-4 or above. |
| DSM 6.1 | Critical | Upgrade to 6.1.7-15284-3 or above. |
| DSM 5.2 | Critical | Upgrade to 5.2-5967-9 or above. |
| SkyNAS | Critical | Ongoing |
| VS960HD | Critical | Upgrade to 2.3.3-1646 or above. |
| SRM 1.2 | Important | Upgrade to 1.2-7742-5 or above. |
Notes: This vulnerability only takes effect, if the Apple AFP (Netatalk) protocol is used on devices. In addition, remote exploitation is only possible if the device and its login interface are accessible via the Internet.
The Netatalk software is a free software suite that provides components of the AppleTalk protocol family under POSIX-compatible operating systems. The above article refers only to Synology's security alerts. Anyone using Netatalk on other devices (QNAP, FreeNAS, Linux) should also take care of the issue there and clarify whether an update is necessary/available.
Vulnerability in Synology Diskstation Manager (DSM)
There is also another vulnerability for which the vendor has issued the Synology-SA-18:64 DSM security alert. This affects the following products.
| Product | Severity | Fixed Release Availability |
|---|---|---|
| DSM 6.2 | Critical | Upgrade to 6.2.1-23824-4 or above. |
| DSM 6.1 | Critical | Upgrade to 6.1.7-15284-3 or above. |
| DSM 5.2 | Critical | Upgrade to 5.2-5967-9 or above. |
| SkyNAS | Critical | Ongoing |
| VS960HD | Not affected | N/A |
The upgrades will all be available, according to a message from a Synology spokesman to German site heise.de. If the auto-update is active on the devices, the devices or the software should be updated automatically.
I had already reported about the older Magellan vulnerability in December 2018 in the blog post Magellan: Security Advisory Synology-SA-18:61.
Security warning Synology-SA-18:65 SRM
The company has still released the security warning Synology-SA-18:65 SRM (thanks to @PhantomOfMobile for the hint).
A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology Router Manager (SRM).
A vulnerability allows remote attackers to execute arbitrary code through a vulnerable version of Synology Router Manager (SRM). The critical vulnerability affects SRM 1.2, and upgrading to 1.2-7742-5 or later should resolve the vulnerability.
Advertising
