Important Information Regarding NTP Vulnerability (CVE-2016-9310)

Publish Time: 2016-11-25 00:00:00 UTC+8

Last Updated: 2016-11-25 12:00:00 UTC+8

Severity: Low

Status: Resolved

Description

A security vulnerability regarding the NTP service (CVE-2016-9310) has been identified where an unauthenticated remote attacker can bypass the legitimate monitoring and trigger DDoS (Distributed Denial of Service) attacks.

Even though the impact caused by this vulnerability on Synology NAS is limited, Synology is now working on a DSM 6.0 update to address this vulnerability for precautionary purposes.

Severity

Low

Summary

Synology's default configuration of NTP service is not vulnerable to CVE-2016-9310.

Mitigation

Enable the firewall to allow NTP traffic for trusted devices only.

Update Availability

Synology will release a DSM 6.0 update (6.0.2-8451-5) to address this issue in the coming weeks.

References

http://support.ntp.org/bin/view/Main/NtpBug3118
http://bugs.ntp.org/show_bug.cgi?id=3118
https://www.kb.cert.org/vuls/id/633847
https://thehackernews.com/2016/11/ntp-server-vulnerability.html