Synology-SA-18:01 Meltdown and Spectre Attacks

Publish Time: 2018-01-04 13:36:12 UTC+8

Last Updated: 2020-02-21 21:16:20 UTC+8

Severity
Moderate
Status
Resolved

Abstract

These vulnerabilities allow local users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), and VisualStation running on an Intel or Arm CPU, even if in Virtual Machine Manager.

Synology rates the overall severity as Moderate because these vulnerabilities can only be exploited via local malicious programs. To secure customers' products against the attacks, we recommend you only install trusted packages.

Regarding Spectre & Meltdown Checker, Synology implements array_index_mask_nospec, minimal ASM retpoline, Kernel Page Table Isolation (KPTI) into affected models [1], and additional Indirect Branch Prediction Barrier (IBPB) into specific models [2] to mitigate the vulnerabilities for DSM.

Our customers can mitigate the vulnerabilities in both DSM and SRM by upgrading to 6.2.2-24922 and 1.1.7-6941-1, respectively.

Affected Products

Product Severity Fixed Release Availability
DSM 6.2 Moderate Upgrade to 6.2.2-24922 or above.
DSM 6.1 [3] Moderate Upgrade to 6.2.2-24922 or above.
DSM 6.0 [4] Moderate Upgrade to 6.2.2-24922 or above.
DSM 5.2 [5] Moderate Upgrade to 6.2.2-24922 or above.
SkyNAS Moderate Pending
SRM 1.1 [6] Moderate Upgrade to 1.1.7-6941-1 or above. [7]
VS960HD Moderate Pending
VS360HD Moderate Pending
Virtual Machine Manager Moderate Upgrade to 6.2-23739 or above

[1] DS415+, RS815RP+, RS815+, DS1515+, DS1815+, DS1517+, DS1817+, DS2415+, RS2416RP+, RS2416+, RS818RP+, RS818+, RS1219+, DS216+, DS216+II, DS716+, DS716+II, DS416play, DS916+, DS418play, DS218+, DS718+, DS918+, DS1019+, DS1618+, DS1819+,DS2419+, RS2418RP+, RS2418+, RS2818RP+, DS3611xs, DS3612xs, RS3411RPxs, RS3411xs, RS3412RPxs, RS3412xs, RS3413xs+, RS10613xs+, RS3614xs+, RC18015xs+, RS18016xs+, RS3617xs, RS3614RPxs, RS3614xs, RS3617RPxs, RS3617xs+, DS3617xs, DS3018xs, RS4017xs+, RS18017xs+, RS3618xs, RS1619xs+, FS1018, FS2017, FS3017, Virtual DSM

[2] DS218+, DS418play, DS718+, DS918+, DS1019+, DS1618+, DS1819+, DS2419+, RS2418(rp)+, RS2818rp+, DS3018xs, FS1018, RS1619xs+

[3] DS918+, DS418play, DS718+, DS218+, FS1018, DS3018xs, FS3017, RS3617xs, DS1817+, DS1517+, RS2416RP+, RS2416+, RS18016xs+, DS916+, DS416play, DS716+II, DS716+, DS216+II, DS216+, RC18015xs+, DS3615xs, DS2415+, DS1815+, DS1515+, RS815RP+, RS815+, DS415+, RS3614xs+, RS3614xs, RS3614RPxs, RS3413xs+, RS10613xs+, DS3612xs, RS3412xs, RS3412RPxs, DS3611xs, RS3411xs, RS3411RPxs, DS218j, DS1517, DS1817, DS116, DS416slim, RS217, RS816, DS115, DS215j, DS216, DS216j, DS416j, DS414j, DS216play, DS215+, DS416, DS1515, DS2015xs, DS715, NVR216, NVR1218, FS2017, RS4017xs+, RS3617xs+, RS3617RPxs, RS18017xs+, DS3617xs, RS818+, RS818rp+, DS1618+, RS2418+, RS2418rp+, RS3618xs, Virtual DSM

[4] FS3017, RS3617xs, RS2416RP+, RS2416+, RS18016xs+, DS916+, DS416play, DS716+II, DS716+, DS216+II, DS216+, RC18015xs+, DS3615xs, DS2415+, DS1815+, DS1515+, RS815RP+, RS815+, DS415+, RS3614xs+, RS3614xs, RS3614RPxs, RS3413xs+, RS10613xs+, DS3612xs, RS3412xs, RS3412RPxs, DS3611xs, RS3411xs, RS3411RPxs, DS116, DS416slim, RS217, RS816, DS115, DS215j, DS216, DS216j, DS416j, DS414j, DS216play, DS215+, DS416, DS1515, DS2015xs, DS715, NVR216, RS4017xs+, RS3617xs+, RS3617RPxs, RS18017xs+, DS3617xs

[5] RS2416RP+, RS2416+, RS18016xs+, DS716+, DS216+, RC18015xs+, DS3615xs, DS2415+, DS1815+, DS1515+, RS815RP+, RS815+, DS415+, RS3614xs+, RS3614xs, RS3614RPxs, RS3413xs+, RS10613xs+, DS3612xs, RS3412xs, RS3412RPxs, DS3611xs, RS3411xs, RS3411RPxs, DS115, DS215j, DS216, DS216j, DS416j, DS414j, DS216play, DS215+, DS416, DS1515, DS2015xs, DS715, NVR216

[6] RT1900ac, RT2600ac

[7] RT2600ac

Mitigation

None

Detail

  • CVE-2017-5715

    • Severity: Moderate
    • CVSS3 Base Score: 5.3
    • CVSS3 Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
    • Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
  • CVE-2017-5753

    • Severity: Moderate
    • CVSS3 Base Score: 5.3
    • CVSS3 Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
    • Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
  • CVE-2017-5754

    • Severity: Moderate
    • CVSS3 Base Score: 5.3
    • CVSS3 Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
    • Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

Reference

Revision History

Revision Date Description
1 2018-01-04 Initial public release.
2 2018-01-04 Updated affected models of ARM-series DiskStation in Affected Products.
3 2018-01-04 - Updated Abstract.
- Added SRM 1.1 to Affected Products.
- Added VisualStation to Affected Products.
- Updated affected models of Virtual DSM in Affected Products.
4 2018-01-05 Updated affected models of Intel Broadwell-DE series in Affected Products.
5 2018-01-05 Updated Abstract.
6 2018-01-08 Updated Detail and Reference.
7 2018-01-09 Updated Affected Products and Detail.
8 2018-01-09 Updated Abstract and Mitigation.
9 2018-10-16 Updated Abstract and Affected Products.
10 2019-03-28 Updated Abstract and Affected Products upon 6.2.2.
11 2020-02-21 Update for Virtual Machine Manager is now available in Affected Products.