Synology NAS Zero-Day Vulnerability

By Kalani Anderson on November 8, 2024

Executive Summary

On November 1, 2024, it was publicly disclosed that Synology’s NAS devices contained a critical vulnerability which was easily exploitable.  The Critical Zero-Click Vulnerability, CVE-2024-10443, was first discovered during the Pwn2Own Ireland 2024 hacking competition in October, which discovered a handful of zero-day vulnerabilities.  Soon after being found and disclosed to Synology, within 48 hours Synology released a security patch addressing the vulnerability.  Users are strongly urged to update their devices to the latest version in order to mitigate any further risk.

Background

Pwn2Own is a hacking competition that primarily focuses on the discovery and exploitation of zero-day attacks across various types of devices.  Pwn2Own Ireland was hosted in October and the vulnerability was first demonstrated during the competition by the individual, Rick de Jager.  Additionally, Synology is Taiwanese network-attached storage (NAS) appliance manufacturer that focuses on providing storage services globally [1].  NAS are devices that are designed to allocate network data solely to dedicated users on a network.  This allows for NAS devices to provide users the ability to work collaboratively by ensuring that users have quick and constant access to data, essentially functioning as a private in-house cloud storage for an organization.  This has resulted in the widespread popularity of NAS devices among organizations as it is both cost effective and easily scalable [2].

Within the NAS devices manufactured by Synology, there are many applications that can be run, including BeePhotos, and Synology Photos.   The vulnerability was determined to be ranked as critical, due to the ease of exploitability, making it imperative to be addressed to prevent further exploitation [3].

Exploitation

While the full details as to how the vulnerability was able to be exploited have not been disclosed, it is understood that the vulnerability did not require any threat actor’s active engagement to be exploited.  The name “zero-click” alludes to the fact that the vulnerability was able to be exploited without users clicking on any files, applications, or malicious links.  Instead, threat actors were able to exploit the vulnerability over the internet without requiring any authentication.  The threat actors only needed to first discover any devices connected to Synology’s QuickConnect service, which allows for applications to quickly connect to the Synology NAS devices without having to manually establish port forwarding rules [4]. Once exploited, the vulnerability provided threat actors with root access to affected systems, allowing them to run remote command execution attacks, further enumeration of the impacted devices  [5].

Specifically, the application affected, SynologyPhotos, is a default application that comes on any of Synology’s BeeStation line of devices.  Additionally, SynologyPhotos can also be downloaded by users who use Synology’s DiskStation storage systems [5].

Significance and Impact

The discovery of CVE-2024-10443 was extremely important since NAS devices can house sensitive information such as PII and private health information.  Synology, as an organization, has openly stated that they have provided their services in more than 13 million installations across the world, making the potential impact of this vulnerability extremely widespread [6].  Many of the organizations affected were determined to be law firms in the USA, Canada, and France, as well as energy businesses in Australia and South Korea.  Maintenance contractors in South Korea, Italy, and France were also determined to be affected [5].  Moreover, since the exploit does not require any action done by the victim to be carried out, the potential harmful impacts and unauthorized disclosure and access to sensitive data stored on NAS devices, makes the vulnerability extremely important to address.

Mitigation

To mitigate further risk and exploitation to system services, both Synology and Arctic Wolf strongly encourage users of Synology NAS devices to update their devices to the most current versions [7].  Synology also recommends that organizations reassess their current applications in use on their NAS devices.  While it is not guaranteed that disabling applications such as SynologyPhotos will prevent further exploitation, it is best to disable unnecessary applications not currently in use by the organization [7].

 

Users can follow these steps to disable the QuickConnect feature for specific applications [7]:

 

  1. Navigate to the Control Panel > External Access > QuickConnect > Advanced > Select Advanced Settings
  2. Select the application/services chosen to be disable from QuickConnect in Permission
  3. Select Apply

 

Midnight Blue also recommends that disabling port forwarding to NAS devices and blocking both ports 5000 and 5001 will help prevent further exploitation [3].

Conclusion

Synology’s Zero-Click RCE Vulnerability highlights the importance of cybersecurity testing and auditing to ensure that critical vulnerabilities are found and addressed promptly.  Additionally, hacking competitions with the intention to discover and inform organization’s of their vulnerabilities such as Pwn2Own, are extremely important to the safety and security of their services and their customers.  For organizations, learning about zero-day vulnerabilities from outside sources are helpful, CVE-2024-10443 showed the need for organizations to maintain network and system security through strong auditing and penetration testing practices.  For users,  CVE-2024-10443 further demonstrates the need to continuously stay up to date on released application patches and updates, as well as manually configuring their devices in order to further safeguard their own systems and networks.

References

[1] Lakshmanan, R. (2024, November 6). Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices. https://thehackernews.com/2024/11/synology-urges-patch-for-critical-zero.html

[2] Seagate. (n.d.). What is NAS (Network Attached Storage) and Why is NAS Important for Small Businesses? https://www.seagate.com/blog/what-is-nas-master-ti/

[3] Midnight Blue (2024, November). RISK:STATION. https://www.midnightblue.nl/research/riskstation

[4] Synology. (n.d.). QuickConnect. https://kb.synology.com/en-ph/DSM/help/DSM/AdminCenter/connection_quickconnect?version=7

[5] Zetter, K. (2024, November 1). Zero-Click Flaw Exposes Potentially Millions of Popular Storage Devices to Attack. https://www.wired.com/story/synology-zero-click-vulnerability/

[6] Synology (n.d.). About Us. https://www.synology.com/en-us/company

[7] Ramos, A. (2024, November 4). CVE-2024-10443: Critical Zero-Click RCE Vulnerability  Discovered in Synology NAS Devices. https://arcticwolf.com/resources/blog/cve-2024-10443/

Related Posts