Overview
A recently discovered high-severity vulnerability, tracked as CVE-2024-10443 and dubbed “RISK:STATION,” poses a significant threat to Synology NAS users worldwide.
The vulnerability, affecting Synology DiskStation and BeeStation models, allows remote code execution without user interaction, heightening the potential for malicious exploitation.
CERT-In has released an advisory urging Synology users to apply critical security patches immediately to secure their devices and prevent unauthorized access.
Affected Systems and Risk Assessment
The flaw specifically impacts Synology Photos and BeePhotos components, which come pre-installed on many Synology NAS products. Vulnerable versions include:
- BeePhotos for BeeStation OS 1.1 – versions below 1.1.0-10053
- BeePhotos for BeeStation OS 1.0 – versions below 1.0.2-10026
- Synology Photos 1.7 for DSM 7.2 – versions below 1.7.0-0795
- Synology Photos 1.6 for DSM 7.2 – versions below 1.6.2-0720
Given that NAS devices are highly valuable targets in ransomware attacks, the risks associated with this vulnerability are extensive, including data theft, malware installation, and unauthorized system access.
System owners using affected versions are encouraged to upgrade to secure versions immediately.
Impact and Exploitation Risks
The “RISK:STATION” vulnerability represents an “unauthenticated zero-click” attack vector. Attackers exploiting this flaw can gain root-level control without any user interaction.
Synology’s QuickConnect feature, a remote-access service, further increases device exposure, as it allows attackers to reach NAS devices even behind firewalls. According to the researchers who were credited with finding this zero-click bug, this flaw carries a high potential for misuse and could impact an estimated one to two million devices globally.
Device Exposure and Enumeration Concerns
The vulnerability’s severity is amplified by Synology’s QuickConnect feature’s extensive reach. This service provides devices with a unique subdomain that enables remote access, even bypassing firewalls and NAT configurations.
Due to the ease of obtaining these subdomains through Certificate Transparency logs, adversaries can readily enumerate exposed Synology devices. QuickConnect domains often contain identifiable names or locations, raising privacy concerns and potentially making it easier for attackers to prioritize targets.
Mitigations and Recommended Actions
Synology has issued patches that effectively neutralize this vulnerability, covering both the SynologyPhotos and BeePhotos applications. Users should ensure they apply the following updates:
- For Synology DiskStation (DSM 7.2):
- Synology Photos 1.7 – Update to version 1.7.0-0795
- Synology Photos 1.6 – Update to version 1.6.2-0720
- For Synology BeeStation:
- BeePhotos 1.1 – Update to version 1.1.0-10053
- BeePhotos 1.0 – Update to version 1.0.2-10026
Alternatively, users can mitigate exposure by disabling QuickConnect, blocking ports 5000 and 5001, and disabling the SynologyPhotos or BeePhotos components if not actively in use.
Although these actions prevent internet-based exploitation, they do not secure devices within local networks, so a firmware update remains the most effective solution.
Conclusion
The CVE-2024-10443 vulnerability in Synology NAS devices showcases the need for proactive patching, particularly for high-value, internet-exposed assets. Synology users are urged to follow the recommended upgrade steps or apply alternative mitigation measures to secure their devices from exploitation. By addressing these vulnerabilities promptly, organizations can reduce the likelihood of unauthorized access, ransomware attacks, and data breaches on their network-attached storage devices.
Source:
https://www.synology.com/en-global/security/advisory/Synology_SA_24_18
https://www.synology.com/en-global/security/advisory/Synology_SA_24_19
