VT OID: 1.3.6.1.4.1.25623.1.0.170202 is not 100% correct

this test is using the contents of /synohdpack/synohdpack.version to determine the DSM version. however the version numbers in this file are from the Synology HDD/SDD Drive Database and they are not necessarily in line with the actual DSM version number, especially after installing an update manually. the actual version number is in the file /etc(.defaults)/VERSION but that one is not included in the nginx setup.

So far we noticed that the patch level version is not present in /synohdpack/synohdpack.version, that is why every advisory concerning a fix via a patch version has 2 corresponding VTs, one for reliable checks and one for unreliable checks, for example 1.3.6.1.4.1.25623.1.0.170271 and 1.3.6.1.4.1.25623.1.0.170504.
We have no information until now that major version, minor version or build number were wrong in the /synohdpack/synohdpack.version.

Hey there,

I’ve the same problem with
“Synology DiskStation Manager (DSM) < 7.2.1-69057-6, 7.2.2 < 7.2.2-72806-1 Multiple Vulnerabilities (Synology-SA-24:20) - Remote Known Vulnerable Versions Check”

The check says
Installed version: 7.2-72806
Fixed version: 7.2.1-69057-6

There is something wrong with that, or?

Also here is the content of the synohdpack.version

majorversion=“7”
minorversion=“2”
major=“7”
minor=“2”
micro=“2”
buildphase=“GM”
buildnumber=“72806”
smallfixnumber=“0”
nano=“0”
base=“72806”

Or is this some problem with this specific NVT?

I am seeing the same issue.
In your example I guess it should say that the installed version is: 7.2.2-72806 - it seems like the detection is not detecting the “micro” versions properly and this is leading to false positives of “Synology DiskStation Manager (DSM) < 7.2.1-69057-6, 7.2.2 < 7.2.2-72806-1 Multiple Vulnerabilities (Synology-SA-24:20) - Remote Known Vulnerable Versions Check” and other VTs.

1 Like

It seems that starting with version 7.2.2, Synology removed the productversion= entry that was previously used to determine the version, therefore the detection used the fallback values for majorversion and minorversion which were actually intended for versions older than 6.0. There will be a fix for the new format of synohdpack.version.
Also, now it is possible to provide credentials for web authentication, for a more accurate detection, as usually the patch level updated are not reflected in the synohdpack.version therefore a 100% accurate detection is not possible via unauthenticated HTTP.

2 Likes

Thanks for the information, OrphX. It has helped me a lot to understand the problem. Also, I find it interesting to use credentials for web authentication, but, I only see options for SSH, SMB, ESXi or SNMP credentials on our synology targets. Is there any way to use web authentication credentials on http or ports 5000 and 5001?

When can we expect the fix to be implemented and will it come with the feed update?

The fix was developed and should be in the feed in the coming days.

1 Like

The credentials can be set in the preferences for Synology NAS / DiskStation Manager Detection (HTTP) (OID: 1.3.6.1.4.1.25623.1.0.103786)
You need to set there “Synology NAS / DiskStation Manager Web UI Username” and “Synology NAS / DiskStation Manager Web UI Password”

3 Likes

Thank you, ckuerste!

Great news, keep up the good work!
Drop me your LN address :zap: I’ll buy you a :beer: