DSM 4.0-2264

Publish Time: 2014-08-27 00:00:00 UTC+8

Last Updated: UTC+8

Status
Resolved

Description

This update forf DSM 4.0-2264 addresses the following security vulnerabilities regarding OpenSSL and PHP 5.3:

  • multiple vulnerabilities that allow remote attackers to use multiple weaknesses to perform denial of service attacks to cause application crash or CPU consumption (OpenSSL: CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3509, CVE-2014-3510, CVE-2014-3512, and CVE-2014-5139).
  • a vulnerability that allows context-dependent attackers to obtain sensitive information from process stack memory (OpenSSL: CVE-2014-3508).
  • a vulnerability that allows man-in-the-middle attackers to cause a downgrade to TLS 1.0 even though both server and client support higher TLS version (OpenSSL: CVE-2014-3511).
  • a vulnerability that allows remote attackers to exploit a weakness to perform a man-in-the-middle attack in certain OpenSSL-to-OpenSSL communications and obtain sensitive information (OpenSSL: CVE-2014-0224).
  • a vulnerability that allows remote attackers to execute arbitrary code or cause a denial of service via a long non-initial fragment (OpenSSL: CVE-2014-0195).
  • multiple vulnerabilities that allow remote attackers to perform various kinds of denial of service attacks (OpenSSL: CVE-2014-0221, CVE-2014-0198, CVE-2010-5298,CVE-2014-3470).
  • a vulnerability that allows remote attackers to obtain ECDSA nonces that could result a side-channel attack (OpenSSL: CVE-2014-0076).
  • multiple vulnerabilities that allows remote attackers to use the exploits to cause denial of service attacks resulting in buffer over-read, application exit, infinite loop, or performance degradation (PHP 5.3: CVE-2013-6712, CVE-2014-0207, CVE-2014-0238, CVE-2014-0237 and CVE-2014-4049).
  • a vulnerability that allows local users to overwrite arbitrary files via a symlink attack (PHP 5.3: CVE-2014-3981).
  • a vulnerability that allows remote attackers to execute arbitrary code via a crafted string (PHP 5.3: CVE-2014-3515).

Resolution

To fix the security issues, please go to DSM > Control Panel > DSM Update page and install the latest updates to protect your Synology NAS from malicious attacks.