Synology: Multiple products impacted by OpenSSL RCE vulnerability


Level 50
Content Creator
Apr 24, 2016
Taiwan-based NAS maker Synology has revealed that recently disclosed remote code execution (RCE) and denial-of-service (DoS) OpenSSL vulnerabilities impact some of its products.

"Multiple vulnerabilities allow remote attackers to conduct denial-of-service attack or execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server," the company explains in a security advisory published earlier today.

The complete list of devices affected by the security flaws tracked as CVE-2021-3711 and CVE-2021-3712 includes DSM 7.0, DSM 6.2, DSM UC, SkyNAS, VS960HD, SRM 1.2, VPN Plus Server, and VPN Server.

The first bug is caused by a heap-based buffer overflow in the SM2 cryptographic algorithm which generally leads to crashes but can also be abused by attackers for arbitrary code execution.

The second flaw is a read buffer overrun while processing ASN.1 strings that can be exploited to crash vulnerable apps in DoS attacks or gain access to private memory contents such as private keys or other sensitive info.

Although the OpenSSL development team has published OpenSSL 1.1.1l to address the two flaws on August 24, Synology says that releases for impacted products are either "ongoing" or "pending."

While Synology does not provide an estimated timeline for these incoming updates, the company told BleepingComputer earlier this month that it generally patches affected software within 90 days after publishing advisories.

The NAS maker is also working on security updates for multiple DiskStation Manager (DSM) vulnerabilities with no assigned CVE IDs and impacting DSM 7.0, DSM 6.2, DSM UC, SkyNAS, and VS960HD.

"Multiple vulnerabilities allow remote authenticated users to execute arbitrary commands, or remote attackers to write arbitrary files via a susceptible version of DiskStation Manager (DSM)," Synology said when it publicly disclosed these security flaws on August 17.

"Our teams are still actively investigating this potential vulnerability and CVEs will be assigned when more information can be disclosed," the company told BleepingComputer last week when asked to share CVE ID info on these DSM bugs.

Synology also added that attackers haven't yet exploited the vulnerabilities disclosed in last week's advisory in the wild.

Earlier this month, the company warned customers that the StealthWorker botnet is targeting their network-attached storage (NAS) devices in brute-force attacks that lead to ransomware infections.