Heartbleed OpenSSL security breach: impact and solution?

Discuss with the community any ideas you'd love to see in future DiskStations and DSM updates! We do our best to monitor and forward all of them, but we recommend to also use this form as our team will systematically see your suggestion:
https://www.synology.com/form/inquiry/feature
Forum rules
Synology Community is the new platform for the enthusiasts' interaction, and it will soon be available to replace the Forum.
Pierrrrrrre
Trainee
Trainee
Posts: 10
Joined: Tue Mar 12, 2013 7:05 am

Heartbleed OpenSSL security breach: impact and solution?

Unread post by Pierrrrrrre » Wed Apr 09, 2014 10:26 am

Hi!

Recently, a very big news hit the Web:

Heartbleed, a very big security breach has been found in OpenSSL, which impacts ⅔ of the Web servers in the World regarding the use of HTTPS encrypted connections.

Since Synology NAS provide an HTTPS connection option, I would like to know if:
- OpenSSL was used in the NAS (I believe so)
- If it is used, when do you plan to release a security update?

Thank you.

P.S.: More info about heartbleed here.


Pierrrrrrre
Trainee
Trainee
Posts: 10
Joined: Tue Mar 12, 2013 7:05 am

Re: Heartbleed OpenSSL security breach: impact and solution?

Unread post by Pierrrrrrre » Thu Apr 10, 2014 2:25 am

For your information, I contacted the Synology technical support, and got this answer:
The issue will be fixed in the upcoming release and it will be available soon.
Wait and see! :)

sejtam
Novice
Novice
Posts: 54
Joined: Thu Feb 07, 2013 12:44 pm

Re: Heartbleed OpenSSL security breach: impact and solution?

Unread post by sejtam » Thu Apr 10, 2014 7:42 am

Yup'it's vulnerable:

$ Heartbleed 192.168.0.10:443
2014/04/10 14:39:42 ([]uint8) {
00000000 02 00 79 68 65 61 72 74 62 6c 65 65 64 2e 66 69 |..yheartbleed.fi|
00000010 6c 69 70 70 6f 2e 69 6f 59 45 4c 4c 4f 57 20 53 |lippo.ioYELLOW S|
00000020 55 42 4d 41 52 49 4e 45 cb 78 30 0e 99 99 d0 57 |UBMARINE.x0....W|
00000030 98 1c 7f 7e 93 6f 2b 15 c4 21 69 fa 8f f6 2e 00 |...~.o+..!i.....|
00000040 05 00 05 01 00 00 00 00 00 0a 00 08 00 06 00 17 |................|
00000050 00 18 00 19 00 0b 00 02 01 00 00 0d 00 0a 00 08 |................|
00000060 04 01 04 03 02 01 02 03 ff 01 00 01 00 c0 03 c0 |................|
00000070 0d c0 02 c0 0c 00 2f 00 41 00 35 00 86 8b 8e a5 |....../.A.5.....|
00000080 27 b5 dd 36 f9 60 19 06 63 21 d0 65 |'..6.`..c!.e|
}

Best to not allow remote access to your NAS for now

Pierrrrrrre
Trainee
Trainee
Posts: 10
Joined: Tue Mar 12, 2013 7:05 am

Re: Heartbleed OpenSSL security breach: impact and solution?

Unread post by Pierrrrrrre » Fri Apr 11, 2014 6:00 am

Synology released an update that fix the heartbleed issue:

http://www.synology.com/en-global/suppo ... 8_update_2

sejtam
Novice
Novice
Posts: 54
Joined: Thu Feb 07, 2013 12:44 pm

Re: Heartbleed OpenSSL security breach: impact and solution?

Unread post by sejtam » Fri Apr 11, 2014 6:10 am

The fix seems to be available. new DSM update.. installing now..

sejtam
Novice
Novice
Posts: 54
Joined: Thu Feb 07, 2013 12:44 pm

Re: Heartbleed OpenSSL security breach: impact and solution?

Unread post by sejtam » Fri Apr 11, 2014 6:49 am

./Heartbleed 192.168.0.10:443
2014/04/11 05:48:45 192.168.0.10:443 - SAFE

seems to have done the trick. thanks Synology!

levicki
Novice
Novice
Posts: 43
Joined: Tue Oct 23, 2012 10:36 am
Contact:

Re: Heartbleed OpenSSL security breach: impact and solution?

Unread post by levicki » Sun Apr 13, 2014 2:13 pm

I wonder why default SSL configuration on a webserver is to allow also medium grade encryption?

I am not happy with AES128 only when better is available.

Here is how to fix that:

Code: Select all

# login as root via SSH to your DiskStation then do the following:
#
# su
# vi /etc/httpd/conf/extra/httpd-ssl.conf-common
#
# then change SSLCipherSuite line and add SSLHonorCipherOrder as shown below
#

    SSLCipherSuite AES256-SHA
    SSLHonorCipherOrder on

I would appreciate if Synology removed MEDIUM grade cyphers alltogether and it would be also nice if Synology removed the Apache default hack for old IE dating from 1999 which indiscriminately reduces performance of all IE browsers including the latest ones:
http://www.apachelounge.com/viewtopic.php?t=4462
http://blogs.msdn.com/b/ieinternals/arc ... -slow.aspx

If not remove, then at least replace the regex as follows:

Code: Select all

BrowserMatch ".*MSIE [2-5]\..*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
So that it catches only IE2 to IE5 and not everything and a kitchen sink.
DS412+, 2xWD2003FYYS

Post Reply

Return to “Feature Requests & Product Improvement Suggestions”