There are security gaps in Synology's routers that allow attackers to inject script code. The manufacturer is providing an update that should close the gaps. However, the distribution is continuing in the “staged rollout”, which is why Synolgy administrators should start the update process quickly.
Advertisement
On Tuesday this week, Synology released router operating system version SRM 1.3.1-9346 Update 9. In addition to some general problems, such as inability to establish connections using IPv6 over PPPeO in Romania or with ISPs that require longer response times, the update also seals several security holes.
Synology Router Manager: “Important” security vulnerabilities
The manufacturer has not yet provided any further details about the vulnerabilities. However, Synology's security notice summarizes that several vulnerabilities remain in SRM. “Multiple vulnerabilities allow remote or logged-in attackers to inject arbitrary web scripts or HTML, malicious logged-in actors to bypass security restrictions, and authenticated malicious users to read specific files using a vulnerable version of SRM software.” , it says there.
The severity level or CVE numbers for each vulnerability are not available. However, the manufacturer rates the severity as “important”. “This update will be rolled out in selected regions in the coming weeks,” explain Synology's developers, “the release timing may vary slightly in each region.” Anyone who uses a Synology router should therefore initiate the update manually, for example in the administration interface.
At the end of November last year, Synology closed security gaps in the router operating system that became known during the Pwn2Own competition.
(dmk)