Synology DSM 5.0 ShellShock “safe by default”
So I was on twitter looking at some security stuff I follow and came across someone quoting Synology as saying that DSM 5.0 is “safe by default”. Here is a link to the Synology document. And here is the quote:
The design of Synology NAS operating system, DiskStation Manager (DSM), is safe by default. The bash command shell built-in in DSM is reserved for system service use (HA Manager) only and not available to public users. For preventive purpose, Synology is working on the patches addressing this bash vulnerability and to provide them as soon as possible.
Not being entirely convinced I quickly logged into a DS1513+ and did echo $0 which will usually return the current shell.
So, I can’t confirm as to what shell the unit was running but after upgrading to DSM 5.0 Update 7, the unit is now using ash shell as default. I wish I hadn’t applied the update just yet so I could just confirm. But, for now, this will have to do. Looks safe here.