<![CDATA[ Abstract
These vulnerabilities allow local users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), and VisualStation running on an Intel or Arm CPU, even if in Virtual Machine Manager.
Synology rates the overall severity as Moderate because these vulnerabilities can only be exploited via local malicious programs. To secure customers' products against the attacks, we recommend you only install trusted packages.
Regarding Spectre & Meltdown Checker, Synology implements array_index_mask_nospec, minimal ASM retpoline, Kernel Page Table Isolation (KPTI) into affected models [1], and additional Indirect Branch Prediction Barrier (IBPB) into specific models [2] to mitigate the vulnerabilities for DSM.
Our customers can mitigate the vulnerabilities in both DSM and SRM by upgrading to 6.2.2-24922 and 1.1.7-6941-1, respectively.
Affected Products
| Product | Severity | Fixed Release Availability |
|---------|----------|-------------|
| DSM 6.2 | Moderate | Upgrade to 6.2.2-24922 or above. |
| DSM 6.1 [3] | Moderate | Upgrade to 6.2.2-24922 or above. |
| DSM 6.0 [4] | Moderate | Upgrade to 6.2.2-24922 or above. |
| DSM 5.2 [5] | Moderate | Upgrade to 6.2.2-24922 or above. |
| SkyNAS | Moderate | Pending |
| SRM 1.1 [6] | Moderate | Upgrade to 1.1.7-6941-1 or above. [7] |
| VS960HD | Moderate | Pending |
| VS360HD | Moderate | Pending |
| Virtual Machine Manager | Moderate | Upgrade to 6.2-23739 or above |
[1] DS415+, RS815RP+, RS815+, DS1515+, DS1815+, DS1517+, DS1817+, DS2415+, RS2416RP+, RS2416+, RS818RP+, RS818+, RS1219+, DS216+, DS216+II, DS716+, DS716+II, DS416play, DS916+, DS418play, DS218+, DS718+, DS918+, DS1019+, DS1618+, DS1819+,DS2419+, RS2418RP+, RS2418+, RS2818RP+, DS3611xs, DS3612xs, RS3411RPxs, RS3411xs, RS3412RPxs, RS3412xs, RS3413xs+, RS10613xs+, RS3614xs+, RC18015xs+, RS18016xs+, RS3617xs, RS3614RPxs, RS3614xs, RS3617RPxs, RS3617xs+, DS3617xs, DS3018xs, RS4017xs+, RS18017xs+, RS3618xs, RS1619xs+, FS1018, FS2017, FS3017, Virtual DSM
[2] DS218+, DS418play, DS718+, DS918+, DS1019+, DS1618+, DS1819+, DS2419+, RS2418(rp)+, RS2818rp+, DS3018xs, FS1018, RS1619xs+
[3] DS918+, DS418play, DS718+, DS218+, FS1018, DS3018xs, FS3017, RS3617xs, DS1817+, DS1517+, RS2416RP+, RS2416+, RS18016xs+, DS916+, DS416play, DS716+II, DS716+, DS216+II, DS216+, RC18015xs+, DS3615xs, DS2415+, DS1815+, DS1515+, RS815RP+, RS815+, DS415+, RS3614xs+, RS3614xs, RS3614RPxs, RS3413xs+, RS10613xs+, DS3612xs, RS3412xs, RS3412RPxs, DS3611xs, RS3411xs, RS3411RPxs, DS218j, DS1517, DS1817, DS116, DS416slim, RS217, RS816, DS115, DS215j, DS216, DS216j, DS416j, DS414j, DS216play, DS215+, DS416, DS1515, DS2015xs, DS715, NVR216, NVR1218, FS2017, RS4017xs+, RS3617xs+, RS3617RPxs, RS18017xs+, DS3617xs, RS818+, RS818rp+, DS1618+, RS2418+, RS2418rp+, RS3618xs, Virtual DSM
[4] FS3017, RS3617xs, RS2416RP+, RS2416+, RS18016xs+, DS916+, DS416play, DS716+II, DS716+, DS216+II, DS216+, RC18015xs+, DS3615xs, DS2415+, DS1815+, DS1515+, RS815RP+, RS815+, DS415+, RS3614xs+, RS3614xs, RS3614RPxs, RS3413xs+, RS10613xs+, DS3612xs, RS3412xs, RS3412RPxs, DS3611xs, RS3411xs, RS3411RPxs, DS116, DS416slim, RS217, RS816, DS115, DS215j, DS216, DS216j, DS416j, DS414j, DS216play, DS215+, DS416, DS1515, DS2015xs, DS715, NVR216, RS4017xs+, RS3617xs+, RS3617RPxs, RS18017xs+, DS3617xs
[5] RS2416RP+, RS2416+, RS18016xs+, DS716+, DS216+, RC18015xs+, DS3615xs, DS2415+, DS1815+, DS1515+, RS815RP+, RS815+, DS415+, RS3614xs+, RS3614xs, RS3614RPxs, RS3413xs+, RS10613xs+, DS3612xs, RS3412xs, RS3412RPxs, DS3611xs, RS3411xs, RS3411RPxs, DS115, DS215j, DS216, DS216j, DS416j, DS414j, DS216play, DS215+, DS416, DS1515, DS2015xs, DS715, NVR216
[6] RT1900ac, RT2600ac
[7] RT2600ac
Mitigation
None
Detail
CVE-2017-5715
Severity: Moderate
CVSS3 Base Score: 5.3
CVSS3 Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
CVE-2017-5753
Severity: Moderate
CVSS3 Base Score: 5.3
CVSS3 Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
CVE-2017-5754
Severity: Moderate
CVSS3 Base Score: 5.3
CVSS3 Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
INTEL-SA-00088
INTEL-OSS-10002
INTEL-OSS-10003
Project Zero: Reading privileged memory with a side-channel
Revision History
| Revision | Date | Description |
|----------|------------|-------------------------|
| 1 | 2018-01-04 | Initial public release.|
| 2 | 2018-01-04 | Updated affected models of ARM-series DiskStation in Affected Products.|
| 3 | 2018-01-04 | - Updated Abstract. - Added SRM 1.1 to Affected Products. - Added VisualStation to Affected Products. - Updated affected models of Virtual DSM in Affected Products.|
| 4 | 2018-01-05 | Updated affected models of Intel Broadwell-DE series in Affected Products.|
| 5 | 2018-01-05 | Updated Abstract. |
| 6 | 2018-01-08 | Updated Detail and Reference. |
| 7 | 2018-01-09 | Updated Affected Products and Detail. |
| 8 | 2018-01-09 | Updated Abstract and Mitigation. |
| 9 | 2018-10-16 | Updated Abstract and Affected Products.|
| 10 | 2019-03-28 | Updated Abstract and Affected Products upon 6.2.2.|
|11 |2020-02-21| Update for Virtual Machine Manager is now available in Affected Products.|
]]>