Important Information about the Auto Block function in DSM

Publish Time: 2017-02-24 00:00:00 UTC+8

Last Updated: 2017-02-24 12:00:00 UTC+8

Severity
Important
Status
Resolved

Abstract

A vulnerability was reported on the Auto Block function in DSM that allowed remote attackers to bypass the current IP blocking mechanism via a crafted X-Forwarded-For (XFF) header.


Severity

Important


Affected

  • Product
    • DSM 6.1
  • Models
    • All Synology models


Mitigation

Synology is about to provide an update for resolution. Before it is available, we strongly suggest you execute the following policies for enhanced security:

  1. Disable admin account.

  2. Use a more complex password. See the recommended changes on your password:

    • The password length must be at least 8 characters.
    • The password should not contain identical character sequences as in the username or account description.
    • The password must contain both uppercase and lowercase characters.
    • The password must contain at least one numeric character and special character.

  3. Enable 2-step verification (available at Options > Personal).

  4. Set up firewall rules to allow only identifiable IP addresses to access services running on your Synology NAS.


Update Availability

The update for DSM 6.1 is available for download at the following link.

DSM 6.1-15047 Update 1: https://usdl.synology.com/download/DSM/criticalupdate/update_pack/15047-1/