Synology & “Shellshock” bash Vulnerability

Synology has released an announcement about the Shellshock vulnerability. Not all Diskstations are vulnerable and for the ones that are the Bash shell isn’t available to public users.

Synology released a statement about the “Shellshock” vulnerability.

From the statement:

A vulnerability of a commonly used UNIX command shell, Bash, has been discovered allowing unauthorized users to remotely gain control of vulnerable UNIX-like systems. A thorough investigation by Synology shows the majority of Synology NAS servers are not concerned. The design of Synology NAS operating system, DiskStation Manager (DSM), is safe by default. The bash command shell built-in in DSM is reserved for system service use (HA Manager) only and not available to public users. For preventive purpose, Synology is working on the patches addressing this bash vulnerability and to provide them as soon as possible.

Only one of my three DiskStations is on the vulnerable list (the 1511+). That particular NAS always gets updated last. It’s used for all my backups and file storage. While recovery would be possible it would take a long time. My test NAS (the 212J) isn’t on the vulnerable list so I can’t test the updated firmware. My main NAS, the DS212+, isn’t on the list either.

Since I can’t test the update I’m not applying it to my 1511+. The 1511+ isn’t accessible from the internet, it isn’t even set up for quick connect, and my router wouldn’t send any Internet traffic to it. So the risk to me seems nearly non-existent and the risk of problems is higher than normal. I’ll wait until others beat on the update for awhile and apply it sometime in the future, maybe just the next update. As I write this the update for the DS1511+ isn’t available from the download center or through automatic update.