back to article How long is too long to wait for a security fix?

Synology quietly released version 4.2-3250 of its DiskStation Manager (DSM) operating system this month. This squashes critical security bugs in version 4.2 of DSM – bugs that were fixed in version 5.0 in June, so consider this a back port. Version 4.2 is old but still in use in various models, such as the DS109. The update …

  1. Nate Amsden

    rarely update my home rooters

    yeah I called em rooters, sounds funny.

    My current home internet gateway is a Soekris box running OpenBSD 5.4 i386. Before the CF card failed roughly 222 days ago (current uptime) it was running I want to say OpenBSD 4.8 (maybe 4.4?) for however many years that was out for(never applied any updates). System is pretty locked down running pf (the only reason I use OpenBSD otherwise I do not like it at all). I login to the openbsd box maybe 3 times a year seems like. Haven't had to adjust the firewall rules in years.

    I have a very old netgear WRT54G or whatever they are called running a version of DD-WRT (???) from about 6 years ago. It works, don't feel a need to change it (never crashed, never caused a problem). It's locked down as well as it can be I think. It's on a segmented network that routes through the Openbsd box before it can get to my main LAN or internet. I don't even login to the UI to this thing more than 2-3 times a year.

    99% of my traffic runs on wired ethernet.

    I have another wifi access point a netgear powerline extender thing-a-ma-bob. it's directly connected to my main network and has the max encryption it supports (forgot which offhand) and mac filtering (far from perfect but anything helps) enabled (WRT54g has both as well).

    my laptop and work desktop for that matter run ubuntu 10.04 LTS (end of life was a year ago I believe). At some point I will buy a SSD for my laptop and install Linux mint (whichever one feels closest to Gnome 2 I forget which off hand). Don't plan to upgrade my work desktop unless something fails.

    Never once to my knowledge anyway has any of the systems I personally manage either at home or work been successfully hacked in the 18 years or so I've been doing this, so I feel pretty confident that the stuff I do is adequate.

    1. Trevor_Pott Gold badge

      Re: rarely update my home rooters

      Based on that config, I suspect you have no management interfaces open to the net. I've seen stock home routers pwned in under an hour by placing them directly on a modem because they had management ports open to the net.

      So with basic security you can get away with more stability. Without it - or where you have a production requirement for more risk - I suspect that security updates mean a lot more.

      1. Nate Amsden

        Re: rarely update my home rooters

        ssh is exposed that is it, my previous openbsd install I think was limited to keys only my current one is not will change that now :)

        1. Trevor_Pott Gold badge

          Re: rarely update my home rooters

          I presume BSD has something similar to Fail2Ban that you could use for non-keyed systems?

      2. razorfishsl

        Re: rarely update my home rooters

        it is a MYTH that you need interfaces open to the web, you can be PAWNED even if the interface is only available on a local net.

        1. Trevor_Pott Gold badge

          Re: rarely update my home rooters

          Examples?

        2. Anonymous Coward
          Anonymous Coward

          Re: rarely update my home rooters

          "it is a MYTH that you need interfaces open to the web, You can be PAWNED even if the interface is only available on a local net."

          If I have the ticket and the means to repay the money I apparently borrowed, can I get myself back?

          On a more serious note, as per Trevor's response, you kind of need to elaborate when you make that kind of statement. Helps us work out where you're coming from.

    2. Blitterbug
      Happy

      Re: yeah I called em rooters, sounds funny

      ...Not to me - you just spelled 'router' phonetically, for some reason... not sure why!

  2. Mark 65

    The great home network

    Unfortunately, as you have already said, many people do not upgrade a single component. But who can blame them? For years they have been sold the promise of devices that just work with minimum configuration and so much of the blame is with the manufacturers. To be honest, most home users would likely screw up an upgrade anyhow - impatience causing them to turn things off etc as well as some devices having less than stellar interfaces.

    I'm with the other vendor whose attitude is predominantly to force an upgrade on you. To be honest I cannot blame them as supporting multiple versions is a lot of work and encourages people to stick where they are thus cementing the problem in. You pay your money you take your choice. However, whilst this is fine in the home environment I don't think they would be able to sustain this in the SMB sector with their higher end gear. Not owning any of the rack kit I cannot say what their attitude is there. I am fine with upgrading to the latest and greatest after a few weeks so that any issues can emerge - been bitten far too many times by early adopter eagerness (which can leave you as a beta tester with some companies) to do otherwise. I wasn't too impressed with their fix which took too long (in my opinion) to release given they only did a recompile with a change to a switch.

    When the openssl issues emerged the first thing I did was to close all ports maps on the router and leave nothing exposed. It was a pain in the arse but with heartbleed you just knew a script kiddy would get you with a port scan. I looked at my logs as soon as the fault was reported and witnessed scanning occurring from Rackspace hosted boxes in the US - that's when services were shutdown quicksmart.

    After this episode I've now brought everything back with only SSH passed through and all other access via openvpn with an up to date install of Gargoyle on my home router.

    Going forward there is a clear issue here - as these devices become more feature rich (with more attack vectors) and more accessible to your average user we are now left with a situation where, just like with the dreaded Adobe flash/reader pairing, these things need to self update unless told otherwise because the owner just won't be doing it and we don't want to be left with our data being scanned by someones convenience kit. As for the IoT, internet connected fridges and the like can kiss my arse because they will never have a place on my network.

  3. Mr Templedene

    How will we cope with the "Internet of Things"? Well judging on our current record, we wont!

  4. Allan George Dyer

    "the balance between security and stability"

    But stability is security, just another aspect in "Confidentiality, Integrity, Availability".

    The key is layered defence - requiring attackers to break into your home to reach the management interface is one example.

    For the Internet of Things, we need the manufacturers to make it easy to layer the security, not make a one-time setup insecure for "user convenience".

    1. Bloakey1

      Re: "the balance between security and stability"

      well said that man and well said Trevor.

      Stability is a key component in availability and has ramifications on confidentiality and integrity.

      I tend to avoid updates until they are mature and others have done the live 'beta' testing, however I do patch away if a particularly nasty vulnerability is discovered.

      As for your Internet of things, hmmm, I don't want it, I don't need it and people have been wittering on about it for years and we have not got there yet. A decent firewall casting a cynical eye on all incoming and outgoing data does the trick for me

  5. heyrick Silver badge

    Home router patching? You're having a laugh...

    "Patching your NAS is important, just as it is for your home router, switches, firewalls, servers and endpoints. Sadly, as has been made quite obvious, a great many people simply refuse to do so."

    Last week, Orange (France) updated the firmware in (some? all?) of the domestic Liveboxes, after - when was the last update? 2012? Anyway.. This adds a nifty looking user interface that is horribly broken, gives you advanced configuration options that just don't work right (good luck associating a device with a 'fixed' IP address on the (W)LAN via DHCP), gives you an 80:20 chance that the box won't recognise a USB key plugged into it, and means the previously working DNLA server struggles with 720P and even some 480P content. The Livebox 2 (Sagem) is locked up tight. I really wish I could revert to the previous firmware, and disable auto-upgrades. Instead, we are all beta testers in software that is very clearly not up to expected release quality. I suspect this is tied in to IPv6 that Orange might be rolling out around 2017, maybe...

    I am not against the idea of automatic upgrades, especially in domestic devices, however when said upgrade is clearly rushed out the door, unfinished, and mucks up stuff (people of Orange forums have reported drops in connection speeds and alsorts, but since my pipe is only 2mbit, I wouldn't notice!), it is hard to be in support of such automatic upgrades.

    Point being - whether or not the home router firmware is updated is out of our hands, and it is especially galling when such upgrades are forced and offer a worse experience then before.

    1. Trevor_Pott Gold badge

      Re: Home router patching? You're having a laugh...

      It is in mine. I went out of my way to find an ALU Cellpipe 7130. It's Just A Fucking Modem. Then I use a WNDR3700V2 as a router, with OpenWRT as the firmware. It's glorious!

      1. heyrick Silver badge

        Re: Home router patching? You're having a laugh...

        @ Trevor: Does it offer SIP VoIP with a socket for regular phones? I have a backup spare WAG200 router with open firmware, but when I use that, no phone...

        1. Trevor_Pott Gold badge

          Re: Home router patching? You're having a laugh...

          No. It doesn't. I use a regular Polycom Ethernet phone with no problem using QoS in the firmware, but if I needed "regular phone" stuff that would be...Microtik? I'd have to go look in the server room to verify.

  6. colinmacg

    Best example I've see from a router/modem supplier (Dovado) has the default configuration to check daily for new firmware, once that is issued it can be configured to send an email and then it wait for a week before applying the update. That allows any issues with the firmware to spare the bulk of the user base and only hit early adopters.

  7. Pu02

    "a great many people simply refuse to do so"

    Sure, and for the rest of us, there are all those manufacturer's that refuse to update their firmware for bugs let alone patch vulnerabilities. After all why waste time working on stuff that is not going to make money in store next week?

    - Because if you do it right, it doesn't take much time?

    - Because people won't buy it if you don't maintain it. Perhaps that's why all those no-name NAS's sell so well (?) Arghhh... (trying not to get worked up).

    Bring on the Internet of things (and permanent vulnerabilities)

  8. Anonymous Coward
    Anonymous Coward

    Delayed update

    We've had to delay our DSM update, because we are pretty sure it will break something, as it has in the past. Fortunately, our DSM NAS is not directly exposed to the internet: Unfortunately it is a mission-critical file server.

    For whatever reason, my colleagues who specified and installed Linux & BSD derivitive workstations, appliances and servers don't think that patching and updating them is worth the effort.

  9. Paul

    this problem seems trivial compared to the latest hack!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like