Researchers Uncover Zero-Click Vulnerability in Synology’s NAS Software
A serious security threat has been identified in Synology’s NAS software, specifically within its pre-installed Photos app. The vulnerability, termed
A serious security threat has been identified in Synology’s NAS software, specifically within its pre-installed Photos app. The vulnerability, termed a “zero-click” exploit, was uncovered by Rick de Jager, a security researcher from Midnight Blue, during the Pwn2Own hacking competition held in Ireland. This significant flaw affects not only Synology’s Photos application but also the BeePhotos software designated for BeeStation systems.
In a striking revelation made by Wired, the vulnerability was detected swiftly, within mere hours, as a substitute for another proposed entry at the contest. Following the demonstration of this critical issue, Midnight Blue promptly informed Synology, leading to the release of a patch within 48 hours to address the vulnerability. However, the rapid solution does not alleviate the serious concerns surrounding the potential for criminal exploitation, given that millions of Synology devices are at risk. This prompted additional media outreach aimed at alerting system owners about the urgency of implementing mitigative actions.
A “zero-click” vulnerability allows an attacker to exploit a device without any required authentication. This means that a malicious individual can launch an attack against a Synology NAS device from the internet, eliminating the need for any form of user interaction or bypassing security gateways. Once they breach the device, attackers could gain root access to the system, enabling them to install and execute code freely.
Synology was informed of the vulnerability shortly after the Pwn2Own contest results were published. In light of this alarming discovery, the company moved quickly to provide a fix. However, users should note that Synology NAS devices do not have automatic update functionalities, leading experts to strongly recommend that owners immediately update their systems. The available fixes include updates for BeePhotos for BeeStation OS 1.1 (to 1.1.0-10053 or above), BeePhotos for BeeStation OS 1.0 (to 1.0.2-10026 or above), as well as updates for Synology Photos 1.7 on DSM 7.2 (to 1.7.0-0795 or above) and Synology Photos 1.6 on DSM 7.2 (to 1.6.2-0720 or above).
Network-attached storage devices like those manufactured by Synology are often prime targets for cybercriminals due to the large volume of personal data they typically store. This is not the first time vulnerabilities have put users at risk; in July 2021, Western Digital’s My Book Live NAS products were exposed to a severe attack stemming from two significant vulnerabilities that allowed attackers to remotely access and wipe hard drives. Though Western Digital released patches to address the critical issues, many affected devices were not capable of updating, and issues with the new software led to further complications for users, particularly in the photography space.
As this recent development underscores, the safety and security of digital storage solutions hinge heavily on timely updates and user vigilance. Synology NAS users must act promptly to safeguard their systems and protect their valuable data from potential threats.
