The Information Highway

The Information Highway
Font size: +
  Print
2 minutes reading time (333 words)

Zero-click flaw in Synology NAS devices

39 Hits

Threat update

Synology, network-attached storage (NAS) maker, addressed critical security vulnerability, CVE-2024-10443, which impacts their DiskStation and BeePhotos applications. This is an unauthenticated vulnerability that can allow attackers to obtain root-level code execution on Synology NAS devices.

Technical Detail and Additional Info

What is the threat?

CVE-2024-10443 is a zero-click vulnerability which enables attackers to gain access to devices and steal data or plant malware without user interaction. Once exploited, a malicious actor will have full access to the system and can turn the affected device into a botnet to further attack other infrastructures.

Why is it noteworthy?

As this is a zero-click vulnerability in which no user interaction is required, threat actors can easily exploit this vulnerability to gain access to the system, steal personal and corporate files, plant backdoors, or infect the system with ransomware. The SynologyPhotos app is enabled by default on BeeStation storage devices. It is also used in their DiskStation storage systems.

What is the exposure or risk?

The flaw affects the following Synology versions:

  • BeePhotos for Beestation OS 1.0 and 1.1
  • Synology Photos 1.6 and 1.7 for DSM 7.2.

Additionally, because the affected applications come pre-installed with the devices, all Synology users are at risk. NAS devices are considered high-value targets for ransomware operators since they store large amounts of data. In addition, many users connect them directly to the internet. While the systems can be set up with a gateway requiring credentials, the part of the photo app that contains the zero-click vulnerability does not require authentication.

What are the recommendations?

 LBT Technology Group recommends the following actions to secure your NAS devices against this threat:

  • Update all BeeStation or SynologyPhotos devices manually as soon as possible since Synology's NAS devices do not update automatically.
  • Apply malware-scanning software on your devices and check regularly.

References

 For more in-depth information about the recommendations, please visit the following links:


If you have any questions, please contact LBT's Sales Engineer.


0
How do you feel about this post?
Happy (0)
Love (0)
Surprised (0)
Sad (0)
Angry (0)
Tags:
CVE -2024-10443 security vulnerability network-attached storage block ​ Synology move
Vulnerabilities found in Microsoft Azure AI
Google's mysterious 'search.app' links leave Andro...

About the author

LBT Technology Group, LLC.

LBT Technology Group, LLC.

As we navigate our ever-evolving cyber society, LBT Technology Group believes providing comprehensive IT services to others is essential. As a Managed IT Services Provider (MSP), we are positioned to eliminate your pain points by optimizing your technology, mitigating your cyber security risk footprint, and improving your cyber resilence. The focus we place on reducing the presistent cyber security risks to the confidentiality, integrity, and availability of your information systems and our proficiency in restoring IT services in the event of a cyber attack or technology outage separates us from our competitors--WE SIMPLIFY YOUR IT EQUATION.
Author's recent posts
More posts from author

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Thursday, 14 November 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023