"Poodle" SSL vulnerability: DSM appears vulnerable

Sit back and relax! Talk about anything here!
Forum rules
This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
polly
Beginner
Beginner
Posts: 27
Joined: Sun Mar 27, 2011 3:32 am

"Poodle" SSL vulnerability: DSM appears vulnerable

Postby polly » Wed Oct 15, 2014 3:07 pm

Another large-scale vulnerability has been found and DSM users who access their devices remotely may be particularly vulnerable: http://www.theregister.co.uk/2014/10/14 ... erability/

DSM appears to be vulnerable as per the test below:
% if echo Q | openssl s_client -connect <your Disk Station IP>:<your https port, default is 5001> -ssl3 2> /dev/null | grep -v "Cipher.*0000"; then echo "SSLv3 enabled"; else echo "SSLv3 disabled"; fi
...
SSLv3 enabled

There's a manual fix for Apache for the technical-savvy (I've not tried yet) but for anyone else, we need a fix ASAP from Synology.
polly
Beginner
Beginner
Posts: 27
Joined: Sun Mar 27, 2011 3:32 am

Re: "Poodle" SSL vulnerability: DSM appears vulnerable

Postby polly » Wed Oct 15, 2014 4:23 pm

Update: I tried the likely manual fixes for this (which probably won't survive a DSM update and maybe not a reboot):
Note that this is not a permanent fix! It's my guesswork, seems to fix it for now, but needs a proper Synology update.

Change:
SSLProtocol all -SSLv2
to:
SSLProtocol all -SSLv2 -SSLv3
in:
/etc/httpd/conf/extra/httpd-alt-port-ssl-setting.conf
and
/etc/httpd/conf/extra/httpd-ssl.conf-common
and restart apache:
/usr/syno/etc/rc.d/S97apache-sys.sh restart
/usr/syno/sbin/synoservicecfg --restart httpd-user

Not sure why I seemed to need the penultimate line to make the change - I'm no DSM expert.

After a restart the test above indicated the evil SSLv3 was dead. DSM, DS Audio etc. still continued to respond on, at least on a Mac/Safari and an iPhone iOS 8.0.2.
User avatar
relax_nl
Apprentice
Apprentice
Posts: 93
Joined: Wed Jan 18, 2012 11:22 am
Location: The Hague, The Netherlands

Re: "Poodle" SSL vulnerability: DSM appears vulnerable

Postby relax_nl » Wed Oct 15, 2014 8:52 pm

You can test it here: https://www.ssllabs.com/ssltest/analyze.html?d=<your.server.url>&hideResults=on

PS: I also edited the following lines in httpd-ssl.conf-common

Code: Select all

SSLCipherSuite HIGH:MEDIUM:!TLS_RSA:!aNULL
SSLHonorCipherOrder on
DS1511+ (DSM OS 6) with Intel D525 Atom CPU (dual-core @ 1.8GHz), 3GB RAM ( 800MHz DDR2 ), SHR2 volume of 5x 4TB HDD
APC Back-UPS ES 700 (BE700G-GR)
npoulos
Trainee
Trainee
Posts: 14
Joined: Fri Oct 05, 2012 4:12 pm

Re: "Poodle" SSL vulnerability: DSM appears vulnerable

Postby npoulos » Thu Oct 16, 2014 6:42 pm

Here is another spot to test it.

https://www.tinfoilsecurity.com/poodle
KarlS
Beginner
Beginner
Posts: 22
Joined: Mon Jan 27, 2014 1:00 pm

Re: "Poodle" SSL vulnerability: DSM appears vulnerable

Postby KarlS » Thu Oct 16, 2014 6:57 pm

Hi to all.

A great ressource for configure crypto settings right and secure is
https://bettercrypto.org/

This project aims at creating a simple, copy & paste-able HOWTO for secure crypto settings of the most common services (webservers, mail, ssh, etc.). It is completely open sourced, every step in the creation of this guide is public, discussed on a public mailing list and any changes to the text are documented in a publicly readable version control system.


BR
Karl
tralek
I'm New!
I'm New!
Posts: 1
Joined: Thu Apr 11, 2013 10:11 pm

Re: "Poodle" SSL vulnerability: DSM appears vulnerable

Postby tralek » Sat Oct 18, 2014 11:17 am

This fix could not be applied to version 4.3 of DSM as there are no /etc/httpd folder. Any other ideas how to patch this in older version?
polly
Beginner
Beginner
Posts: 27
Joined: Sun Mar 27, 2011 3:32 am

Re: "Poodle" SSL vulnerability: DSM appears vulnerable

Postby polly » Sat Oct 18, 2014 7:21 pm

tralek wrote:This fix could not be applied to version 4.3 of DSM as there are no /etc/httpd folder. Any other ideas how to patch this in older version?


If you look to see where the web server process goes for its configuration files, that should tell you. Try:

> ps w | grep http

Somewhere you'll probably see httpd followed by a "-f" parameter and the directory where your Apache files are.

Then look for lines similar to the above.
User avatar
maxxfi
Compiler
Compiler
Posts: 6794
Joined: Sun Dec 27, 2009 12:13 pm
Location: Espoo, Finland

Re: "Poodle" SSL vulnerability: DSM appears vulnerable

Postby maxxfi » Sat Oct 18, 2014 7:22 pm

The configurations for Synology web servers are under /usr/syno/apache/conf/
DS-106j > DS-210j > DS-411
treppa1
Trainee
Trainee
Posts: 17
Joined: Thu Aug 07, 2014 2:36 am

Re: "Poodle" SSL vulnerability: DSM appears vulnerable

Postby treppa1 » Sun Oct 19, 2014 5:02 am

polly wrote:Update: I tried the likely manual fixes for this (which probably won't survive a DSM update and maybe not a reboot):
Note that this is not a permanent fix! It's my guesswork, seems to fix it for now, but needs a proper Synology update.

Change:
SSLProtocol all -SSLv2
to:
SSLProtocol all -SSLv2 -SSLv3
in:
/etc/httpd/conf/extra/httpd-alt-port-ssl-setting.conf
and
/etc/httpd/conf/extra/httpd-ssl.conf-common
and restart apache:
/usr/syno/etc/rc.d/S97apache-sys.sh restart
/usr/syno/sbin/synoservicecfg --restart httpd-user

Not sure why I seemed to need the penultimate line to make the change - I'm no DSM expert.

After a restart the test above indicated the evil SSLv3 was dead. DSM, DS Audio etc. still continued to respond on, at least on a Mac/Safari and an iPhone iOS 8.0.2.



I tried the setting reported and everything seems fine. Only a problem you may already know: if you reboot the NAS after those modifies the apache server does not restart itself. You must rerun it manually otherwise your NAS won't be accessible from remote.
Unfortunately the Synology's response is always in late... :(
polly
Beginner
Beginner
Posts: 27
Joined: Sun Mar 27, 2011 3:32 am

Re: "Poodle" SSL vulnerability: DSM appears vulnerable

Postby polly » Sun Oct 19, 2014 6:48 pm

treppa1 wrote:Only a problem you may already know: if you reboot the NAS after those modifies the apache server does not restart itself. You must rerun it manually otherwise your NAS won't be accessible from remote.
Unfortunately the Synology's response is always in late... :(


Uh oh! I thought something like this might happen. I can't imagine why - my changes just tack an option on the end of a standard line. Do you get any relevant errors in /var/log/*?

I could swear I've restarted since then with no problems but I may be wrong...

I can't believe we've heard nothing from Synology on this yet, unless I missed it.
Zdenda
I'm New!
I'm New!
Posts: 2
Joined: Mon Oct 20, 2014 6:32 pm

Re: "Poodle" SSL vulnerability: DSM appears vulnerable

Postby Zdenda » Mon Oct 20, 2014 6:35 pm

Hello,
I wanted to edit file /etc/httpd/conf/extra/httpd-alt-port-ssl-setting.conf
with change as described (logged as admin via putty to Synology), edited in mc and get info that it can not be saved. Some permission problem. Do you have any advice for me?
Thanx
User avatar
HarryPotter
Honorary Moderator
Honorary Moderator
Posts: 18821
Joined: Mon Oct 23, 2006 12:48 pm
Location: Switzerland

Re: "Poodle" SSL vulnerability: DSM appears vulnerable

Postby HarryPotter » Mon Oct 20, 2014 8:29 pm

Login as root.
*Please do not Private Message me for support questions; leave it on the forum so all members can learn. Thanks!*

DS718+ / DSM 6.1.3-15152-7 / ST4000VN000-2AH166 / 16 GB RAM
DS713+ / DSM 6.1.3-15152-7 / HD501LJ + HD502IJ (RAID0)
DS415+ / DSM 6.1.3-15152-7

2 Squeezebox 3 + Boom

APC Smart UPS SUA750i
treppa1
Trainee
Trainee
Posts: 17
Joined: Thu Aug 07, 2014 2:36 am

Re: "Poodle" SSL vulnerability: DSM appears vulnerable

Postby treppa1 » Tue Oct 21, 2014 2:03 am

polly wrote: Do you get any relevant errors in /var/log/*?
I could swear I've restarted since then with no problems but I may be wrong...
I can't believe we've heard nothing from Synology on this yet, unless I missed it.


I didn't look that much in logs. What I noticed is that if you restart and login locally, the you'll be able to reach the server from remote, if not, the apache server seems to be unreachable.
Anyway I checked the process upon restart and both S97apache-sys.sh and synoservicecfg are running even though the server results off line.
As soon as I log in as admin (locally) I'm getting back the access from remote.

No comment for the Synology support...
treppa1
Trainee
Trainee
Posts: 17
Joined: Thu Aug 07, 2014 2:36 am

Re: "Poodle" SSL vulnerability: DSM appears vulnerable

Postby treppa1 » Tue Oct 21, 2014 5:20 pm

For the sake of chronicles, I realised it's only a problem of the DDNS.
treppa1
Trainee
Trainee
Posts: 17
Joined: Thu Aug 07, 2014 2:36 am

Re: "Poodle" SSL vulnerability: DSM appears vulnerable

Postby treppa1 » Wed Oct 22, 2014 3:50 pm

Sadly I have to admit Synology is working against us :oops:
After updating DSM to 5.0-4528 the SSL3 has been restored as default. It means you gotta do the procedure again...
But I'm wondering why in this last update they did not patch the base system... :shock: :shock: :shock:

Return to “The Lounge”

Who is online

Users browsing this forum: No registered users and 2 guests