Important Information about NTP Vulnerabilities (CVE-2016-4957, CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, and CVE-2016-4956)

Description

Multiple security vulnerabilities regarding the NTP module were announced on June 2, 2016 (CVE-2016-4957, CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, and CVE-2016-4956).

Results of the initial investigation showed that the flaw of NTP could cause ntpd to crash and can be used to amplify distributed denial-of-service (DDoS) attacks. Even though the impact caused by these vulnerabilities on Synology NAS is limited, Synology is now working on DSM 6.0 updates to address these vulnerabilities for precautionary purposes.

A Synology NAS that is not synchronized with an NTP server or that has NTP service disabled will not be affected.

Mitigation

Before the update is released, the concerned users may refer to the following steps to mitigate the impact of this vulnerability:

1. Go to Control Panel > Regional Option > Time.
2. Under Time Setting, select “Manually” rather than “Synchronize with NTP server”.
3. Switch to the NTP Service tab and make sure that the “Enable NTP Service” option is NOT ticked.

Update availability

Synology is working on the update addressing these vulnerabilities and will release the patch for DSM 6.0 shortly.

Reference

• http://support.ntp.org/bin/view/Main/SecurityNotice#June_2016_ntp_4_2_8p8_NTP_Securi
• https://lists.archlinux.org/pipermail/arch-security/2016-June/000639.html
• https://www.freebsd.org/security/advisories/FreeBSD-SA-16:24.ntp.asc