Synology warns about OpenSSL vulnerability in products (August 26, 2021)

Sicherheit (Pexels, allgemeine Nutzung)[German]Synology has issued a security warning for its products as of August 26, 2021. Multiple vulnerabilities allow remote attackers to perform denial-of-service attacks or execute arbitrary code via a vulnerable version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server. Currently, no product updates seem to be available yet.


Advertising

OpenSSL has released a security update version 1.1.1k) to fix two vulnerabilities CVE-2021-3711 and CVE-2021-3712. The two vulnerabilities CVE-2021-3711 and CVE-2021-3712 in OpenSSL also affect the security of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server. German blog reader Ralf just pointed this out in this comment (thanks for that). Synology has published the security alert Synology-SA-21:24 OpenSSL with details. The two vulnerabilities CVE-2021-3711 and CVE-2021-3712 in OpenSSL also affect the security of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server. The following software products are affected and no security updates are available as of August 26, 2021:

Product Severity Fixed Release Availability
DSM 7.0 Important Ongoing
DSM 6.2 Moderate Ongoing
DSM UC Moderate Ongoing
SkyNAS Moderate Pending
VS960HD Moderate Pending
SRM 1.2 Moderate Ongoing
VPN Plus Server Important Ongoing
VPN Server Moderate Ongoing

Vulnerability CVE-2021-3711 has a CVE score of 8.1 and is rated Important. A flaw in the implementation of the SM2 decryption code could lead to a buffer overflow in the affected routines. An attacker could provoke a buffer overflow via appropriately manipulated content, which leads to a crash of the application. The OpenSLL developers do not say anything about whether code execution is also possible – but Synology does not want to rule this out.

Vulnerability CVE-2021-3712, on the other hand, is rated as moderate. Here, the data structure for implementing ASN.1 strings leads to an attacker being able to create a buffer overflow. This allows the application to be crashed in a targeted manner by manipulated data packets as part of a denial of service attack. Details about both vulnerabilities can be found in the linked security advisories.


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in devices, Security and tagged , , . Bookmark the permalink.

1 Response to Synology warns about OpenSSL vulnerability in products (August 26, 2021)

  1. Karl Wester-Ebbinghaus says:

    Wie sieht es denn mit Sophos SSL VPN aus?
    Deren openSSL wurde seit Jahren nicht mehr aktualisiert.

    Ebenso gibt es noch Acronis True Image, Buhl Data Software und einige Spiele die es in ihren Verzeichnissen haben.

Leave a Reply

Your email address will not be published. Required fields are marked *