NAS appliances, applications from Synology and the new BeeStation product are all susceptible to newly discovered and dangerous bugs. Quick patching is the message, even if it sometimes requires manual intervention.
Synology is sending out an exceptional email to warn users about a series of critical bugs. At the Pwn2Own Ireland 2024 event, held in late October, security researchers discovered a collection of vulnerabilities that hackers can extensively exploit.
Malicious code and ransomware
Synology claims in the email that there is currently no active abuse of the bugs, but nevertheless advises users to install patches immediately given the severity of the risk.
After all, the bugs are not minor. They allow attackers to remotely access files or execute their own code, taking over a NAS or hijacking it with ransomware. The dangerous ability to execute malicious code is the common thread through all vulnerabilities.
DSM 7
The most critical bugs affect the operating systems of both Synology’s NAS appliances and consumer-oriented BeeStation products. All recent versions of the operating system are vulnerable. They include:
- DSM 7.2.2
- DSM 7.2.1
- DSM 7.1
- DSMUC 3.1
- BeeStation OS 1.0
- BeeStation OS 1.1
Here Synology shares the status of the situation for DSM and DSMUC, and here for BeeStation.
Also applications
Furthermore, security experts found leaks in individual Synology applications, which hackers can also exploit. Following applications should definitely be up-to-date:
- Drive Server (for DSM 7.1, DSM 7.2.1 and DSM 7.2.2)
- Photos (for DSM 7.1, version 1.6 for DSM 7.2 .1 and version 1.7 for DSM 7.2.2)
- Replication Service (DSM 7.1, DSM 7.2, DSMUC 3.1)
- BeePhotos (for OS 1.0 and OS 1.1)
HVEC or bug?
Despite the severity of the situation, Synology does not yet have patches for all versions of the affected software. At the time of writing, for example, there is a patch for DSM 7.2.2. Those who upgrade to 7.2.2 – Update 1 are safe. There is no patch for DSM 7.2.1, DSM 7.1 and DSMUC 3.1 at this time.
read also
Synology warns of multiple critical bugs in NAS and applications
You can upgrade the DSM versions to 7.2.2 – Update 1, but as of 7.2.2, Synology does away with support for the HVEC codec, and Video Station no longer works. For those relying on that functionality and don’t have a solution yet, upgrading to 7.2.2 is not a great solution.
Manual process
Furthermore, Synology does not automatically make the necessary updates available to all devices. We could secure our testnas DS1522+ with the push of a button, but our test device of model DS 923+ was marked as completely up-to-date even though it was still running the (vulnerable) version DSM 7.1.
In that case, administrators can update the OS manually through the Synology Download Center. That procedure sometimes counts several steps, with upgrades to an intermediate version before the final update to the secure OS is possible.
Synology seems to further prioritize updates for vulnerable apps on the most modern versions of its operating systems. Those who upgraded to DSM 7.2.2 should still check in the Package Center to make sure all applications are up-to-date.
Favored target
NAS appliances are favored targets for hackers. Ransomware attacks on the small servers can bring SMEs to their knees. Even consumers who, for example, manage all of their photo library on a NAS are easily convinced to pay ransom. Now that the bugs are publicly known, you cannot doubt that abuse in the wild is only a matter of time. Do you manage a Synology NAS? If so, get started right away.