Security News > 2021 > August > Synology: Multiple products impacted by OpenSSL RCE vulnerability
Taiwan-based NAS maker Synology has revealed that recently disclosed remote code execution and denial-of-service OpenSSL vulnerabilities impact some of its products.
"Multiple vulnerabilities allow remote attackers to conduct denial-of-service attack or execute arbitrary code via a susceptible version of Synology DiskStation Manager, Synology Router Manager, VPN Plus Server or VPN Server," the company explains in a security advisory published earlier today.
Although the OpenSSL development team has published OpenSSL 1.1.1l to address the two flaws on August 24, Synology says that releases for impacted products are either "Ongoing" or "Pending."
The NAS maker is also working on security updates for multiple DiskStation Manager vulnerabilities with no assigned CVE IDs and impacting DSM 7.0, DSM 6.2, DSM UC, SkyNAS, and VS960HD. "Multiple vulnerabilities allow remote authenticated users to execute arbitrary commands, or remote attackers to write arbitrary files via a susceptible version of DiskStation Manager," Synology said when it publicly disclosed these security flaws on August 17.
"Our teams are still actively investigating this potential vulnerability and CVEs will be assigned when more information can be disclosed," the company told BleepingComputer last week when asked to share CVE ID info on these DSM bugs.
Synology also added that attackers haven't yet exploited the vulnerabilities disclosed in last week's advisory in the wild.
News URL
Related news
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- Palo Alto Networks warns of potential PAN-OS RCE vulnerability (source)