fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Synology: Multiple Products Impacted By OpenSSL RCE Vulnerability

Synology: Multiple Products Impacted By OpenSSL RCE Vulnerability

Taiwan-based NAS maker Synology has revealed that recently disclosed remote code execution (RCE) and denial-of-service (DoS) OpenSSL vulnerabilities impact some of its products.

“Multiple vulnerabilities allow remote attackers to conduct denial-of-service attack or execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server,” the company explains in a security advisory published earlier today.

The complete list of devices affected by the security flaws tracked as CVE-2021-3711 and CVE-2021-3712 includes DSM 7.0, DSM 6.2, DSM UC, SkyNAS, VS960HD, SRM 1.2, VPN Plus Server, and VPN Server.

Patches coming within the next 90 days

The first bug is caused by a heap-based buffer overflow in the SM2 cryptographic algorithm which generally leads to crashes but can also be abused by attackers for arbitrary code execution.

The second flaw is a read buffer overrun while processing ASN.1 strings that can be exploited to crash vulnerable apps in DoS attacks or gain access to private memory contents such as private keys or other sensitive info.

Although the OpenSSL development team has published OpenSSL 1.1.1l to address the two flaws on August 24, Synology says that releases for impacted products are either “ongoing” or “pending.”

While Synology does not provide an estimated timeline for these incoming updates, the company told BleepingComputer earlier this month that it generally patches affected software within 90 days after publishing advisories.

Also Read: Got A Notice of Data Breach? Don’t Panic!

ProductSeverityFixed Release Availability
DSM 7.0ImportantOngoing
DSM 6.2ModerateOngoing
DSM UCModerateOngoing
SkyNASModeratePending
VS960HDModeratePending
SRM 1.2ModerateOngoing
VPN Plus ServerImportantOngoing
VPN ServerModerateOngoing

DiskStation Manager vulnerabilities also under investigation

The NAS maker is also working on security updates for multiple DiskStation Manager (DSM) vulnerabilities with no assigned CVE IDs and impacting DSM 7.0, DSM 6.2, DSM UC, SkyNAS, and VS960HD.

“Multiple vulnerabilities allow remote authenticated users to execute arbitrary commands, or remote attackers to write arbitrary files via a susceptible version of DiskStation Manager (DSM),” Synology said when it publicly disclosed these security flaws on August 17.

“Our teams are still actively investigating this potential vulnerability and CVEs will be assigned when more information can be disclosed,” the company told BleepingComputer last week when asked to share CVE ID info on these DSM bugs.

Synology also added that attackers haven’t yet exploited the vulnerabilities disclosed in last week’s advisory in the wild.

Also Read: A Review Of PDPC Undertakings July 2021 Cases

Earlier this month, the company warned customers that the StealthWorker botnet is targeting their network-attached storage (NAS) devices in brute-force attacks that lead to ransomware infections.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us