Security updates: Malicious code attacks on Synology NAS possible
Two critical security vulnerabilities in Synology NAS devices discovered during the Pwn2Own hacker competition have been closed.
(Image: Synology)
Due to two software vulnerabilities, attackers can attack Synology BeeStation series network-attached storage devices (NAS), among others. Security updates are now available.
As Synology writes in two warnings for Synology Photos and BeePhotos, they classify the vulnerabilities as "critical". However, they do not mention CVE numbers. According to the articles, security researchers discovered and successfully attacked the vulnerabilities in the course of the Pwn2Own Ireland hacker competition.
In both cases, malicious code can get onto systems and compromise them. In one case, remote attackers should be able to bypass authentication. It is not yet clear how the attacks work in detail. Synology is currently not giving any indications of attacks. There is currently no information on how NAS owners can detect devices that have already been attacked.
Protecting systems
To secure NAS devices against the attacks described, admins must install the following versions:
- Synology Photos 1.7.0-0795 for DSM 7.2
- Synology Photos 1.6.2-0720 for DSM 7.2
- BeePhotos 1.1.0-10054 for BeeStation OS 1.1
- BeePhotos 1.0.2-10026 for BeeStation OS 1.0
Videos by heise
NAS models from competitor Qnap have also been hit at Pwn2Own Ireland. After successful attacks, attackers could gain root privileges in this case and completely compromise systems. These gaps have also already been closed.
In total, the organizer of the Trend Micro hacker competition has paid out more than one million US dollars in rewards to the participants. Details of the vulnerabilities remain under wraps so that device manufacturers can respond with security patches to protect systems.
(des)
