Synology-SA-17:29 DSM
Publish Time: 2017-07-14 00:00:00 UTC+8
Last Updated: 2017-09-19 13:41:29 UTC+8
- Severity
- Moderate
- Status
- Resolved
Abstract
CVE-2017-9553 may cause user account and password to be stolen under an insecure network.
CVE-2017-9554 can allow remote attackers to obtain user information via a brute-force attack.
Severity
- CVE-2017-9553
- Impact: Moderate
- CVSS3 Base Score: 5.9
- CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- CVE-2017-9554
- Impact: Moderate
- CVSS3 Base Score: 4.3
- CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Affected
- Products
- DSM 6.1
- DSM 6.0
- DSM 5.2
- Models
- All Synology models
Description
- CVE-2017-9553 A design flaw in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows man-in-the-middle attackers to bypass the encryption protection mechanism and obtain cleartext data via unspecified vectors.
- CVE-2017-9554 An information exposure vulnerability in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.
Mitigation
Enable Auto Block to protect DSM from suffering a brute-force attack.
- Go to Control Panel > Security > Account and tick Enable auto block.
- Adjust the value of Login Attempts and Within (minutes) for your requirements.
- Press Apply to save the settings.
Update Availability
To fix the security issue, please update DSM 6.1 to 6.1.3-15152 or above, update DSM 6.0 to 6.0.3-8754-4 or above and update DSM 5.2 to 5.2-5967-04 or above.