Synology published security advisory Synology-SA-18:01 for Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) vulnerabilities on January 4 and continues to work with our processor suppliers to incorporate fixes. Since the only way for these vulnerabilities to be exploited is through local malicious programs, Synology has rated the severity level to ‘Moderate'.
Meltdown and Spectre vulnerabilities have affected mainstream processing infrastructures on the market, including most PCs, mobile devices, as well as servers. Under the premise that malicious code can be executed locally, potential attackers stand a chance to bypass security measures to access privileged memory and steal sensitive data. However, since the vulnerabilities were discovered by security researchers, there is no clear indication of any exploitation so far. As of today, Synology has not received any reports of the product being attacked.
Synology suggests the following to protect your system against potential attacks:
- Install and execute only trusted applications on your systems
-Ensure all DiskStation Manager / Synology Router Manager accounts are known and trusted
Synology continues to develop mitigations for these issues and will release them in the upcoming updates. Please follow Synology Security Advisory page Synology-SA-18:01 for the latest updates.
The vulnerabilities allow local users to conduct privilege escalation attacks or obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM) or VisualStation that are equipped with Intel or ARM CPU.
Synology rates the overall severity as Moderate because these vulnerabilities can only be exploited via local malicious programs. To secure DSM / SRM / VisualStation against the attacks, we suggest our customers only install trusted packages.
Synology will release a software update to address CVE-2017-5715 for models that use Intel processors and continue to investigate the impact of the other two vulnerabilities.
See affected products and severity level at the Synology-SA-18:01 Security Advisory page.