Synology warns of a total of four security holes in certain series of NAS devices. Three of these are classified as critical and allow network attackers to execute arbitrary code on devices. The updated firmware that closes the vulnerabilities is ready.
external management
All three critical vulnerabilities can be found in the out-of-band (OOB) management of NAS devices. When decrypting packets, the bounds of a buffer could be overwritten (CVE-2022-27624, CVSS 10risk “critical“). Such a buffer overflow could also occur when processing messages (CVE-2022-27625, CVSS 10, critical).
When running with shared resources, insufficient synchronization could lead to a so-called race condition, which also allows attackers to execute arbitrary commands (CVE-2022-27626, CVSS 10, critical). The error in the processing of the OOB session, which allows access outside its memory limits and therefore the output of confidential information, seems less serious (CVE-2022-3576, CVSS 5.3, medium).
are affected according to Synology announcement DS3622xs+, FS3410 and HD6500 series devices. Diskstation Manager software version 7.1.1-42962-2 is available for these devices, which plugs the security holes. Administrators should download and install updates quickly.
Recommended Editorial Content
With your consent, an external survey (Opinary GmbH) will be uploaded here.
Always load surveys
To apply the updated firmware, administrators must remove the .pat file that contains the update from the Synology Download Page to suit your device and installed version and download it. The “DSM Manual Update” page should now be opened in the device UI and the .pat file selected there by clicking “Browse”. The update starts when you select “Apply”.
More recently, Synology had to seal security holes that dated back to the netatalk protocol.
(DMK)
Introvert. Beer guru. Communicator. Travel fanatic. Web advocate. Certified alcohol geek. Tv buff. Subtly charming internet aficionado.
