Important Information Regarding PHPMailer Vulnerability (CVE-2017-5223)

Publish Time: 2017-01-18 00:00:00 UTC+8

Last Updated: 2017-01-18 12:00:00 UTC+8

Severity: Important

Status: Resolved

Description

PHPMailer (for DSM) is reported to have a local file disclosure vulnerability (CVE-2017-5223). This vulnerability will have malformed mails sent to attackers and allow them to download arbitrary files on DSM.

Synology is now working on the upcoming DSM 6.0 and DSM 6.1 updates to address this issue.

Severity

Important

Resolution

To fix the security issue, please go to DSM > Package Center and update the following package to the latest version for optimal protection:

Photo Station 6.6.3-3347

Update Availability

Synology will release a DSM 6.0 update (6.0.2-8451-9,6.0.2-8575-03 for FS3017) and SRM 1.1.3 - 6447 Update 1 to address this issue in the coming week.

References

http://www.freebuf.com/vuls/124820.html
https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md