A newly identified Remote Code Execution (RCE) vulnerability in Synology’s network-attached storage (NAS) devices has placed millions of users at risk, allowing attackers to remotely access these systems without any interaction from users.
Categorised as a “zero-click” vulnerability, this flaw enables attackers to exploit Synology devices without requiring the user to open files or click on links. The issue originates from two applications: Synology Photos (Synology-SA-24:19) and BeePhotos (Synology-SA-24:18), both of which come pre-installed and enabled by default on Synology’s consumer line of Bee network storage devices. The Photos app is also a popular download among users of the DiskStation systems.
Dutch cybersecurity firm Midnight Blue discovered the vulnerability during the annual Pwn2Own hacking contest organised by the Zero Day Initiative, and estimates that millions of Synology users may be at risk from this RCE flaw, located in a part of the Photos and BeePhotos apps that do not require authentication.
With this level of access, attackers could steal sensitive data, install ransomware to block user access, or even install backdoors for long-term exploitation. Midnight Blue’s researchers found that the vulnerability could be exploited whether a Synology NAS device is directly connected to the internet or accessed remotely through the company's QuickConnect service, which many users rely on for convenient remote access.
In their analysis, the Midnight Blue team scanned for internet-connected NAS devices and identified hundreds of thousands of vulnerable Synology systems, estimating that millions of devices in total could be affected. Their scan revealed potentially vulnerable systems in use by law enforcement agencies, law firms, and contractors in critical sectors, such as power grid maintenance, pharmaceuticals, and freight operations.
Although Synology has released a security patch to address the vulnerability classified "critical," users must manually download and install the update, as the company’s NAS devices do not automatically update. Carlo Meijer, one of the researchers at Midnight Blue, stated:
It’s not trivial to find [the vulnerability] on your own, independently. But it is pretty easy to figure out and connect the dots when the patch is actually released, and you reverse-engineer the patch.
The implications of this vulnerability are particularly concerning, as ransomware attacks targeting Synology devices have already been reported. Earlier this year, users of the DiskStation system were specifically targeted in a ransomware incident, highlighting the real-world risks associated with this flaw. Synology users are strongly advised to install the latest security updates as soon as possible and to consider additional security measures, such as limiting remote access through QuickConnect and setting up authentication gateways.
Additionally, the contest saw flaws exploited in other NAS systems as well. As a result, QNAP released an advisory regarding CVE-2024-50388, a critical OS command injection vulnerability in its HBS 3 Hybrid Backup Sync solution, which can be exploited for remote command execution. Similarly, TrueNAS has also published an advisory and begun working on patches for vulnerabilities demonstrated during the contest, cautioning users that these flaws were shown against default, non-hardened installations.
This critical flaw underscores the importance of frequent security updates for NAS devices to reduce the risk of data breaches, ransomware, and unauthorised access to valuable data stored on internet-connected systems.
Via: Wired (paywall)
1 Comment - Add comment