Published on: 29 May 2017
A vulnerability is found in the Synology DSM for NAS servers. A remote authenticated attacker could exploit the vulnerability by uploading a shared library to a writable shared folder for remote execution.
All Synology models with
A successful attack could lead to arbitrary code execution and compromise of a vulnerable system.
Synology has released DSM 6.1.1-4 and DSM 6.0.3-1 to address the issues. Users are advised to check if their NAS servers from Synology are affected by going to the DSM "Control Panel" and selecting "General" tab under "Info Center" to show the current model and version of the DSM being used.
The corresponding updates for DSM can be obtained by going to the “Update & Restore” of the control panel, or downloading at the following URLs:
https://www.synology.com/en-global/support/download
https://www.synology.com/en-global/support/security/Important_Information_Regarding_Samba_Vulnerability_CVE_2017_7494
https://www.hkcert.org/my_url/en/alert/17052501
https://www.us-cert.gov/ncas/current-activity/2017/05/24/Samba-Releases-Security-Updates
https://www.samba.org/samba/security/CVE-2017-7494.html
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7494