Synology has released an update for its Disk Station Manager (DSM) 6.2 firmware to fix security flaws that were revealed at the Pwn2own security conference in Toronto last December. While updates for DSM 7.1 and 7.0 and router operating systems SRM 1.3 and 1.2 have been available since then, Synology did not disclose any details about the security gaps until last week.
Newly available details explain the vulnerabilities that the updated SRM firmware versions have fixed. One of these vulnerabilities is the “OS Command Injection” vulnerability that allows attackers to execute arbitrary commands and their own code. Another vulnerability in the CGI scripts allows attackers from the network to read arbitrary data. A potential buffer overflow in the CGI components also allows remote attackers to execute injected code.
However, the security notification on the Pwn2own vulnerabilities lacks detailed information, making it difficult to tell which vulnerabilities the update closes. But names in Synology’s acknowledgments point to a vulnerability that attackers can use to inject malicious code onto the devices from the network.
The first operating systems to close these gaps were SRM 1.2.5-8227-6 and 1.3-9346-3 and newer. The update for DSM 7.0 to 7.0.1-42218-6 and newer followed in January. The note does not explain when 7.1.1-42962-3 and newer were available. Therefore, users of Synology devices with DSM 6.2 should quickly update to 6.2.4-25556-7 or later to close the gaps.