Is DSM3.2 susceptible to BEAST?

Questions pertaining to Power settings, Auto Block, Permissions, User Quotas and Email alerts may be posted here.
Forum rules
We've moved! Head over to Synology Community (community.synology.com) to meet up with our team and other Synology enthusiasts!
mikedsynology
I'm New!
I'm New!
Posts: 5
Joined: Wed Sep 21, 2011 3:20 pm

Is DSM3.2 susceptible to BEAST?

Unread post by mikedsynology » Fri Sep 23, 2011 3:48 pm

Not an expert in IT security, but this article got me worried about my synology diskstation. http://www.theregister.co.uk/2011/09/19 ... aypal_ssl/

Does anyone know what version of SSL/TLS DSM 3.2 uses?

Thanks

thunderbird
Sharp
Sharp
Posts: 187
Joined: Tue Jul 17, 2007 12:22 pm

Re: Is DSM3.2 susceptible to BEAST?

Unread post by thunderbird » Mon Oct 24, 2011 9:58 pm

Yes, all system running TLS 1.0 are vulnerable. Most browsers will not support version 1.1 anyway which does not have the problem. BTW: The attack can only be done when the attacker can read packets you send.
There is a workaround however: since the problem is due to the CBC algorithm use, you can trick the system into using the stream cipher RC-4 which is considered less secure, but still secure enough and not vulnerable to the BEAST attack.
You can do this by modifying all the ssl configuration files in /usr/syno/apache/conf/extra. You need to add a line with the option SSLHonorCipherOrder on in front of the line starting with SSLCipherSuite
The string behind SSLCipherSuite needs to be changed (better copy the line and comment it and then add a new line) to !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5

NOTE: do this only if you really understand what you are doing and if you can live with the less secure algorithm. If you are not careful with this modification, you might end up with a system using no encryption at all!

P.S: there is a Firefox plugin called CipherFox that displays the cipher used for a site, this might help you in testing this modification.

It would be great if Synology would comment on the security problem an supply some hints what's best to do.

Locked

Return to “System Management”