OpenSSL Vulnerabilities Impact Various Synology Products
They Could Be Exploited for Remote Code Execution and DoS Attacks.
The Synology enterprise has made public the fact that various products of the company are impacted at the present moment by the recently discovered OpenSSL vulnerabilities.
OpenSSL Vulnerabilities: Detailing the Flaws
The identified OpenSSL vulnerabilities could lead to remote code execution (RCE) and DoS attacks (denial-of-service). These were dubbed CVE-2021-3711 and CVE-2021-3712.
Synology published yesterday a security advisory detailing these flaws. As per their report, the bugs have the following characteristics:
- The cause of this first vulnerability is represented by a heap-based buffer overflow.
- This can be found in the SM2 cryptographic algorithm.
- The danger that comes out of this vulnerability is the possibility of remote code execution attacks or application crashing.
A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small.
- It stands for a read buffer overrun.
- This happens when ASN.1 strings are processed.
- These strings are in danger of being exploited by malicious actors who want to perform DoS attacks.
- During these attacks, hackers can make impacted apps stop functioning.
- Access to private memory contents (private keys or sensitive data) can also be acquired.
If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext).
Regarding Synology flaws, our CEO, Morten Kjaersgaard, had a personal experience with his home Synology NAS Server when he received a brute force attack alert. If you want to read more about how he almost got hacked, check out his story.
What Devices Are Impacted?
According to the same security advisory, the impacted devices by these OpenSSL vulnerabilities include Synology DiskStation Manager (DSM, version 7.0, 6.2 and UC), SkyNAS, VS960HD, Synology Router Manager (SRM, version 1.2), the VPN Plus Server, and the VPN Server.
Who Is Synology?
Synology is a Taiwan-based enterprise. Its area of expertise is focused on storage appliances with Network-attached capabilities. DiskStation, FlashStation, or Rackstations are known names from the product range.
What Measures Have Been Taken?
The team of developers from OpenSSL has started to investigate the flaws and released on August 24 an OpenSSL 1.1.1l containing advisories regarding the bugs that can be found in OpenSSL.
According to BleepingComputer publication, as a general rule, Synology addresses impacted software and provides patches within 90 days, therefore the company is working now on fixing these issues. The company is not only trying to fix the issue of the two OpenSSL vulnerabilities, but it also has in view other bugs that were not CVE identified and regard DSM 7.0, DSM 6.2, DSM UC, SkyNAS, and VS960HD.
The security flaws present in the DiskStation Manager (DSM) were made public on the 17th of August and it is confirmed that they have not been yet exploited by hackers. There is no much information regarding these DSM flaws yet, but it is known that these potential bugs may permit a threat actor who performs remote authentication to run or write arbitrary commands, respectively files. The company shared with the same publication mentioned above that the DSM vulnerabilities are still under investigation, so they cannot provide more details for the moment, but will surely do this and assign CVEs when possible.