Security News > 2021 > August > Synology: Multiple products impacted by OpenSSL RCE vulnerability

Synology: Multiple products impacted by OpenSSL RCE vulnerability
2021-08-26 19:42

Taiwan-based NAS maker Synology has revealed that recently disclosed remote code execution and denial-of-service OpenSSL vulnerabilities impact some of its products.

"Multiple vulnerabilities allow remote attackers to conduct denial-of-service attack or execute arbitrary code via a susceptible version of Synology DiskStation Manager, Synology Router Manager, VPN Plus Server or VPN Server," the company explains in a security advisory published earlier today.

Although the OpenSSL development team has published OpenSSL 1.1.1l to address the two flaws on August 24, Synology says that releases for impacted products are either "Ongoing" or "Pending."

The NAS maker is also working on security updates for multiple DiskStation Manager vulnerabilities with no assigned CVE IDs and impacting DSM 7.0, DSM 6.2, DSM UC, SkyNAS, and VS960HD. "Multiple vulnerabilities allow remote authenticated users to execute arbitrary commands, or remote attackers to write arbitrary files via a susceptible version of DiskStation Manager," Synology said when it publicly disclosed these security flaws on August 17.

"Our teams are still actively investigating this potential vulnerability and CVEs will be assigned when more information can be disclosed," the company told BleepingComputer last week when asked to share CVE ID info on these DSM bugs.

Synology also added that attackers haven't yet exploited the vulnerabilities disclosed in last week's advisory in the wild.


News URL

https://www.bleepingcomputer.com/news/security/synology-multiple-products-impacted-by-openssl-rce-vulnerability/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Openssl 1 7 48 51 13 119