Quote:
Originally Posted by UnStable
I have been on DSM5.0.4493 for a while and updated to update4 this week so not sure what else it could be if not the Synology box?
|
Same here on a DS411J and I haven't received any similar letters. The NTP reflection/amplification vulnerability was also fixed in 4.3 by Synology in March anyway.
DSM5 should already be corrected[**], so unless VM checked prior to March then you shouldn't be causing the problem from the Synology ntp server anyway[*]?
Quote:
Version: 4.3-3827 Update 1
(2014/3/18)
Change Log
Fixed a security issue related to OpenSSL (CVE-2013-4353).
Fixed security issues by upgrading PHP to version 5.3.28 (CVE-2013-4073, CVE-2013-6420).
Fixed a security issue to prevent malicious attacks via NTP service (CVE-2013-5211).
|
[*] You only need NTP server typically when running Surveillance station (or High Availabilty) options. Using the normal port123 to sync the NAS to an external NTP server is not the vulnerability.
[**] I SSH'd into my DSM5.0.4493-4 and checked ntpdc "monlist" which reassuringly didn't respond. However I note the build was compiled 29May2014 so perhaps if VM ran a check for open NTP servers prior to any DSM5 June build it might have flagged it?