Synology DSM Important Update

[Kris404]

Not sure if all Synology owners got this email but update your DSM guys.

Dear Synology users,

Synology® confirmed known security issues (reported as CVE-2013-6955 and CVE-2013-6987) which would cause compromise to file access authority in DSM. An updated DSM version resolving these issues has been released accordingly.

The followings are possible symptoms to appear on affected DiskStation and RackStation:

Exceptionally high CPU usage detected in Resource Monitor:
CPU resource occupied by processes such as dhcp.pid, minerd, synodns, PWNED, PWNEDb, PWNEDg, PWNEDm, or any processes with PWNED in their names
Appearance of non-Synology folder:
An automatically created shared folder with the name “startup”, or a non-Synology folder appearing under the path of “/root/PWNED”
Redirection of the Web Station:
“Index.php” is redirected to an unexpected page
Appearance of non-Synology CGI program:
Files with meaningless names exist under the path of “/usr/syno/synoman”
Appearance of non-Synology script file:
Non-Synology script files, such as “S99p.sh”, appear under the path of “/usr/syno/etc/rc.d”

If users identify any of above situation, they are strongly encouraged to do the following:

For DiskStation or RackStation running on DSM 4.3, please follow the instruction here to REINSTALL DSM 4.3-3827.
For DiskStation or RackStation running on DSM 4.0, it’s recommended to REINSTALL DSM 4.0-2259 or onward from Synology Download Center.
For DiskStation or RackStation running on DSM 4.1 or DSM 4.2, it’s recommended to REINSTALL DSM 4.2-3243 or onward from Synology Download Center.

For other users who haven’t encountered above symptoms, it is recommended to go to
DSM > Control Panel > DSM Update page, update to versions above to protect DiskStation from malicious attacks.

Synology has taken immediate actions to fix vulnerability at the point of identifying malicious attacks. As proliferation of cybercrime and increasingly sophisticated malware evolves, Synology continues to casting resources mitigating threats and dedicates to providing the most reliable solutions for users. If users still notice their DiskStation behaving suspiciously after being upgraded to the latest DSM version, please contact security@synology.com.

Sincerely,
Synology Development Team

 

[stevech]

I did receive notice from Synology.
As I read the below, the vulnerabilities apply to what someone may do AFTER being authenticated (login/password) on the NAS.

More info
Per http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6955 ...
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.

and
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6987 ...
Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2) folder_path parameter to file_share.cgi in webapi/FileStation/; (3) dlink parameter to fbdownload/; or unspecified parameters to (4) html5_upload.cgi, (5) file_download.cgi, (6) file_sharing.cgi, (7) file_MVCP.cgi, or (8) file_rename.cgi in webapi/FileStation/.

 

[6530]

I have a DS213+ with DSM 4.3-3827 already installed. Do I really need to reinstall? I just got the NAS up & running this weekend.

Sent from my mobile phone.

 

[stevech]

I have a DS213+ with DSM 4.3-3827 already installed. Do I really need to reinstall? I just got the NAS up & running this weekend.

Their note says
DSM 4.3 before 4.3-3810 Update 1
has the flaw

 

[stevech]

My DS212 had no malware as per the symptoms.
None the less, and since DSM 4.3 has been in use for many months, I just updated to DSM 4.3-3827.
Took 10 minutes.

Checked shares, other computers' access, backups, etc. All seems OK post-update. rebooted once again for good measure. I have backups a-plenty, on external media.

Good to go.

PS: I found a web site that keeps history (several years) of security issues reported to NIST et al from vendors such as MS and NAS vendors. Synology is not alone... I see QNAP there too. I suppose some of this comes from vulnerabilities in the Linux system upon which many base their NASes.

 

[6530]

Their note says
DSM 4.3 before 4.3-3810 Update 1
has the flaw

OK, I see that now in the second post in this thread - missed it the first time. Thanks for the clarification.

Sent from my mobile phone.

 

[TonyH]

Hi,
I also reinstall DSM4.3-3827 on my 713+

 

[stevech]

I did an "update" rather than a re-install. Indeed, I don't know how to do a full re-install.
But after the update, the System Information web page says 4.3-xx

 

[Peter Goderie]

Server Down after update !!!

Yes, I also received this e-mail....

And I upgraded my DS108j from DSM 4.0 2228 to the advised version 2262
and now the DS108j won't boot OK (flashing orange light).
Synology assistant says:"Configuration Lost". And no acces to the NAS anymore, no Webman, No SSH, No diskstation, only the homepage of the webserver shows up (but no other pages...).
The helpdesk of Synology only answers with the "standard" solutions (reset config, re-install) wich don't solve the problem.
I managed to retrieve the logfile from the disk (see attached file) and as far as I can see there is now a mismatch between the startup scripts and the installed libraries...
And thanks to Synology there is no way back to the old firmware..
Normally there are ways to bypass this restriction, but they need the WebManager to run.

Does anyone know a way to re-install an old firmware with Synology assistant without loosing the data on the disk ???

 

[Kris404]

Yes, I also received this e-mail....



And I upgraded my DS108j from DSM 4.0 2228 to the advised version 2262

and now the DS108j won't boot OK (flashing orange light).

Synology assistant says:"Configuration Lost". And no acces to the NAS anymore, no Webman, No SSH, No diskstation, only the homepage of the webserver shows up (but no other pages...).

The helpdesk of Synology only answers with the "standard" solutions (reset config, re-install) wich don't solve the problem.

I managed to retrieve the logfile from the disk (see attached file) and as far as I can see there is now a mismatch between the startup scripts and the installed libraries...

And thanks to Synology there is no way back to the old firmware..

Normally there are ways to bypass this restriction, but they need the WebManager to run.



Does anyone know a way to re-install an old firmware with Synology assistant without loosing the data on the disk ???

There is a way to downgrade, but it is not advisible. I did it one time and almost lost all of my data (luckily, Synology support fixed it logging in remotely)

Try reinstalling with the latest Synology assistant from their website.

 

[stevech]

I'd worry that an old DSM 4.0 NAS should have gone from that to 4.1 then 4.3.
The 108 is nearing end of life support, being what, 6 years old?