Zero-click flaw in Synology NAS devices
Threat update
Synology, network-attached storage (NAS) maker, addressed critical security vulnerability, CVE-2024-10443, which impacts their DiskStation and BeePhotos applications. This is an unauthenticated vulnerability that can allow attackers to obtain root-level code execution on Synology NAS devices.
Technical Detail and Additional Info
What is the threat?
CVE-2024-10443 is a zero-click vulnerability which enables attackers to gain access to devices and steal data or plant malware without user interaction. Once exploited, a malicious actor will have full access to the system and can turn the affected device into a botnet to further attack other infrastructures.
Why is it noteworthy?
As this is a zero-click vulnerability in which no user interaction is required, threat actors can easily exploit this vulnerability to gain access to the system, steal personal and corporate files, plant backdoors, or infect the system with ransomware. The SynologyPhotos app is enabled by default on BeeStation storage devices. It is also used in their DiskStation storage systems.
What is the exposure or risk?
The flaw affects the following Synology versions:
- BeePhotos for Beestation OS 1.0 and 1.1
- Synology Photos 1.6 and 1.7 for DSM 7.2.
What are the recommendations?
LBT Technology Group recommends the following actions to secure your NAS devices against this threat:
- Update all BeeStation or SynologyPhotos devices manually as soon as possible since Synology's NAS devices do not update automatically.
- Apply malware-scanning software on your devices and check regularly.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.wired.com/story/synology-zero-click-vulnerability/
- https://www.msn.com/en-us/news/technology/security-researchers-found-a-serious-zero-click-bug-in-synologys-photos-app/ar-AA1tl7Fc?ocid=BingNewsVerp
- https://thehackernews.com/2024/11/synology-urges-patch-for-critical-zero.html
If you have any questions, please contact LBT's Sales Engineer.
Comments