Is DSM3.2 susceptible to BEAST?

Questions pertaining to Power settings, Auto Block, Permissions, User Quotas and Email alerts may be posted here.
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
mikedsynology
I'm New!
I'm New!
Posts: 5
Joined: Wed Sep 21, 2011 3:20 pm

Is DSM3.2 susceptible to BEAST?

Postby mikedsynology » Fri Sep 23, 2011 3:48 pm

Not an expert in IT security, but this article got me worried about my synology diskstation. http://www.theregister.co.uk/2011/09/19 ... aypal_ssl/

Does anyone know what version of SSL/TLS DSM 3.2 uses?

Thanks
thunderbird
Sharp
Sharp
Posts: 187
Joined: Tue Jul 17, 2007 12:22 pm

Re: Is DSM3.2 susceptible to BEAST?

Postby thunderbird » Mon Oct 24, 2011 9:58 pm

Yes, all system running TLS 1.0 are vulnerable. Most browsers will not support version 1.1 anyway which does not have the problem. BTW: The attack can only be done when the attacker can read packets you send.
There is a workaround however: since the problem is due to the CBC algorithm use, you can trick the system into using the stream cipher RC-4 which is considered less secure, but still secure enough and not vulnerable to the BEAST attack.
You can do this by modifying all the ssl configuration files in /usr/syno/apache/conf/extra. You need to add a line with the option SSLHonorCipherOrder on in front of the line starting with SSLCipherSuite
The string behind SSLCipherSuite needs to be changed (better copy the line and comment it and then add a new line) to !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5

NOTE: do this only if you really understand what you are doing and if you can live with the less secure algorithm. If you are not careful with this modification, you might end up with a system using no encryption at all!

P.S: there is a Firefox plugin called CipherFox that displays the cipher used for a site, this might help you in testing this modification.

It would be great if Synology would comment on the security problem an supply some hints what's best to do.

Return to “System Management”

Who is online

Users browsing this forum: No registered users and 6 guests