Synology-SA-17:27 Nginx

Publish Time: 2017-07-13 00:00:00 UTC+8

Last Updated: 2017-09-19 13:44:41 UTC+8

Severity
Moderate
Status
Resolved

Abstract

CVE-2017-7529 can allow remote attackers to leak sensitive information from the vulnerable server.

Severity

Affected

  • Products
    • DSM 6.1
    • DSM 6.0
  • Models
    • All Synology models

Description

A specially crafted request might result in an integer overflow and incorrect processing of ranges, potentially resulting in sensitive information leak.

Mitigation

  1. Go to Control Panel > Applications > Terminal & SNMP and tick Enable SSH service
  2. Log in to DSM via SSH as "admin" and execute the following command:
    sudo /bin/echo "max_ranges 1;" >> /usr/local/etc/nginx/conf.d/main.conf && sudo reload nginx
  3. Remember to remove the mitigation with the following command after upgrading DSM:
    sudo /usr/bin/sed -i '/max_ranges 1;/d' /usr/local/etc/nginx/conf.d/main.conf

Update Availability

To fix the security issue, please update DSM 6.1 to 6.1.3-15152 or above and update DSM 6.0 to 6.0.3-8754-4 or above.

Reference