Mentat Posted April 8, 2014 Share #1 Posted April 8, 2014 I have https activated for my login on the NAS. I've read this and I've tested my setup. It seems vulnerable to Heartbleed I have DSM 4.3 3827 http://filippo.io/Heartbleed/ Quote Link to comment Share on other sites More sharing options...
mactron Posted April 8, 2014 Share #2 Posted April 8, 2014 So maybe an admin should made our threads sticky: viewtopic.php?f=2&t=2833 Quote Link to comment Share on other sites More sharing options...
CtrlAltDel Posted April 8, 2014 Share #3 Posted April 8, 2014 Maybe we could ask the admins to create a sticky "News, Updates and Security" thread which members can subscribe to if they want to stay informed. If posting in the thread is restricted to admin posts only it would keep things tidy and important info would be easier to keep tabs on. Quote Link to comment Share on other sites More sharing options...
anthonyuk Posted April 9, 2014 Share #4 Posted April 9, 2014 Since the earlier vulnerabilities were detected I am only opening a port for VPN to access Xpenology. OpenVPN is more secure but of coarse more difficult to setup and for some devices (IOS) you may require a paid app. Have you investigated whether this is a false positive? Quote Link to comment Share on other sites More sharing options...
CtrlAltDel Posted April 9, 2014 Share #5 Posted April 9, 2014 Since the earlier vulnerabilities were detected I am only opening a port for VPN to access Xpenology.OpenVPN is more secure but of coarse more difficult to setup and for some devices (IOS) you may require a paid app. Have you investigated whether this is a false positive? Or a DSM installable version of something like NeoRouter Pro/Free for VPN. Quote Link to comment Share on other sites More sharing options...
mackevin11 Posted April 9, 2014 Share #6 Posted April 9, 2014 When I do ip.adr.ess.ss:port (replaced by my ip/port ofcourse) I got: Uh-oh, something went wrong: tls: oversized record received with length 20291 And without the portnr: dial tcp ip.adr.ess.ss:443: i/o timeout Quote Link to comment Share on other sites More sharing options...
mcdull Posted April 10, 2014 Share #7 Posted April 10, 2014 I've just applied the DSM 5 update 2 which has this vulnerability fixed. No problem so far. Quote Link to comment Share on other sites More sharing options...
Mentat Posted April 10, 2014 Author Share #8 Posted April 10, 2014 But we have the latest 4.3... It this working? #MAKE SURE YOU HAVE: # Installed Bootstrap, which mounted the optware dir (i.e. "ln -s /volume1/@optware /opt ") # and in the /root/.profile file, appended PATH with ":/opt/bin:/opt/sbin" # Installed required packages: "ipkg update & ipkg install gcc & ipkg install make" # #THEN PERFORM: ################## wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz tar zxvf openssl-1.0.1g.tar.gz cd openssl-1.0.1g ./config touch /opt/lib/gcc/powerpc-linux-gnuspe/3.4.6/include/syslimits.h make install Quote Link to comment Share on other sites More sharing options...
dark alex Posted April 10, 2014 Share #9 Posted April 10, 2014 Tody my 5.0 DSm reported an update 2 - This fixed the vulnerability! It brings openssl 1.0.1g Quote Link to comment Share on other sites More sharing options...
mcdull Posted April 10, 2014 Share #10 Posted April 10, 2014 I checked the version is 0.9.8v. This version is not even affected by the vulnerability. Is this how Synology 'fix' the issue? fallback to old unaffected version? Quote Link to comment Share on other sites More sharing options...
mcdull Posted April 10, 2014 Share #11 Posted April 10, 2014 ok.. my wrong.. the openssl is opt version. the system version is fixed under /usr/syno/bin/openssl. Quote Link to comment Share on other sites More sharing options...
Panja Posted April 10, 2014 Share #12 Posted April 10, 2014 For DSM 5.0 4458 there is an update "UPDATE 2" which fixes the bug. For 4.3 3827 there is no update (yet)... As far as I know running with this version you are afffected. Quote Link to comment Share on other sites More sharing options...
dark alex Posted April 10, 2014 Share #13 Posted April 10, 2014 Panja, just check! if its 1.0.1 - 1.0.1f you are in fact affected. If it's 0.9.8 oder 1.0.1g you are not. Quote Link to comment Share on other sites More sharing options...
Panja Posted April 11, 2014 Share #14 Posted April 11, 2014 Panja,just check! if its 1.0.1 - 1.0.1f you are in fact affected. If it's 0.9.8 oder 1.0.1g you are not. How can I check? The site: http://filippo.io/Heartbleed/ says I'm affected... Quote Link to comment Share on other sites More sharing options...
Mentat Posted April 11, 2014 Author Share #15 Posted April 11, 2014 Is there any way to protect Synology administration panel with an htaccess ? Quote Link to comment Share on other sites More sharing options...
Panja Posted April 11, 2014 Share #16 Posted April 11, 2014 I just received an email from Synology about the Heartbleed bug. Not so good news though... End op April. See attached screenshot. Quote Link to comment Share on other sites More sharing options...
Mentat Posted April 17, 2014 Author Share #17 Posted April 17, 2014 I do not get it... I read that: OpenSSL versions 1.0.1 through 1.0.1f (inclusive) are vulnerable to this attack. On my Synology, using ssh, I've run: Synology2> openssl OpenSSL> version OpenSSL 0.9.8v 19 Apr 2012 It should not be vulnerable! Quote Link to comment Share on other sites More sharing options...
CtrlAltDel Posted April 21, 2014 Share #18 Posted April 21, 2014 Hi, Just in case anyone isn't aware there is now an update 2 available for DSM 4.3-3827. Quote Link to comment Share on other sites More sharing options...
Mentat Posted April 21, 2014 Author Share #19 Posted April 21, 2014 Where is that? My DMS wants to upgrade to 5.0! Quote Link to comment Share on other sites More sharing options...
Mentat Posted April 21, 2014 Author Share #20 Posted April 21, 2014 Ok. I fond it https://www.synology.com/en-global/rele ... /RS3413xs+ Compatibility and Installation DSM 4.3-3827 Update 2 can only be installed on Synology products running DSM 4.3-3827 via DSM Update. Please log in to DSM, go to Control Panel > DSM Update, click Update Settings and select Important Updates Only to see and install the update. Change Log Fixed a critical security issue of OpenSSL (Heartbleed) to prevent secret keys from being compromised. (CVE-2014-0160) Fixed an issue causing the homes shared folder to become inaccessible after being moved to another volume. Fixed an issue allowing the basic information of Synology NAS devices to be obtained outside of the local network without authentication. Fixed password recovery e-mail to include the correct port number even when launched in Application Portal with customized ports. Quote Link to comment Share on other sites More sharing options...
Panja Posted April 22, 2014 Share #21 Posted April 22, 2014 Hi, Just in case anyone isn't aware there is now an update 2 available for DSM 4.3-3827. Thanks! Just upgraded. Quote Link to comment Share on other sites More sharing options...
pameijer Posted April 22, 2014 Share #22 Posted April 22, 2014 I am running DSM 4.2-3211 on my HP N54L. Is there a way to update this to a safe version (apart from upgrading to 4.3 or 5.0, this installation works as a charm)? Quote Link to comment Share on other sites More sharing options...
CtrlAltDel Posted April 22, 2014 Share #23 Posted April 22, 2014 I'm not aware of the situation for the version you're currently running. If your system is accessible over the public network I think you should seriously consider updating as your system is vulnerable. You will need Trantor's latest Beta build 4.3-3827 after that you can use the updater to apply the latest minor patches. Alternatively you can go to DSM5x using the gnoboot method. If your not exposed to outside threats and your happy with the way things are working for you then I guess there is no need to update. Having said that both options offer some improvements over the version you have now. The updates aren't particularly troublesome obviously it's best to have a backup before you proceed. Quote Link to comment Share on other sites More sharing options...
shootfast Posted April 25, 2014 Share #24 Posted April 25, 2014 Hi I am running Beta7 (4.3-3827) on my n54l right now and was wondering how do I upgrade to update 2. I've used the inbuilt updater and it fails to update, how did you guys upgrade to update 2? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.