Synology has today confirmed some known security issues in its DiskStation Manager (DSM) software and issued updates to address them. We are told that engineers at the Milton Keynes based Network Attached Storage (NAS) specialist firm have worked through several nights to fix these vulnerabilities.
Depending upon your DiskStation or RackStation different updates have been supplied as below:
- For DiskStations or RackStations running on DSM 4.3, please follow the instruction here to REINSTALL DSM 4.3-3827.
- For DiskStations or RackStations running on DSM 4.0, it's recommended to REINSTALL DSM 4.0-2259 or onward from Synology Download Center.
- For DiskStations or RackStations running on DSM 4.1 or DSM 4.2, it's recommended to REINSTALL DSM 4.2-3243 or onward from Synology Download Center.
There are a number of symptoms DSM users should be aware of which will give them an indication that their DiskStation or RackStation has been compromised by malware. I shall quote the possible symptoms directly for the email Synology sent to HEXUS:
- Exceptionally high CPU usage detected in Resource Monitor: CPU resource occupied by processes such as dhcp.pid, minerd, synodns, PWNED, PWNEDb, PWNEDg, PWNEDm, or any processes with PWNED in their names
- Appearance of non-Synology folder: An automatically created shared folder with the name "startup", or a non-Synology folder appearing under the path of "/root/PWNED"
- Redirection of the Web Station: "Index.php" is redirected to an unexpected page
- Appearance of non-Synology CGI program: Files with meaningless names exist under the path of "/usr/syno/synoman"
- Appearance of non-Synology script file: Non-Synology script files, such as "S99p.sh", appear under the path of "/usr/syno/etc/rc.d"
Even if you have experienced no attack symptoms it is still recommended that you update your DSM software to the versions as detailed above via the DSM control panel update page.
Synology says that it takes these vulnerabilities extremely seriously as part of its mission of "providing the most reliable solutions for users". The company points out that it took immediate actions to address the CVE-2013-6955 and CVE-2013-6987 security issues and spends considerable time and resources on preventing such problems.
DiskStation or RackStation users who have undertaken the suggested updates but still observe any suspicious activity are asked to email firstname.lastname@example.org with further information.