Synology, a Taiwanese network-attached storage (NAS) appliance maker, patched two critical zero-days exploited during last week’s Pwn2Own hacking competition within days.
Midnight Blue security researcher Rick de Jager found the critical zero-click vulnerabilities (tracked together as CVE-2024-10443 and dubbed RISK:STATION) in the company’s Synology Photos and BeePhotos for BeeStation software.
As Synology explains in security advisories published two days after the flaws were demoed at Pwn2Own Ireland 2024 to hijack a Synology BeeStation BST150-4T device, the security flaws enable remote attackers to gain remote code execution as root on vulnerable NAS appliances exposed online.
“The vulnerability was initially discovered, within just a few hours, as a replacement for another Pwn2Own submission. The issue was disclosed to Synology immediately after demonstration, and within 48 hours a patch was made available which resolves the vulnerability,” Midnight Blue said.
“However, since the vulnerability has a high potential for criminal abuse, and millions of devices are affected, a media reach-out was made to inform system owners of the issue and to stress the point that immediate mitigative actions are required.”
Synology says it addressed the vulnerabilities in the following software releases; however, they’re not automatically applied on vulnerable systems, and customers are advised to update as soon as possible to block potential incoming attacks:
- BeePhotos for BeeStation OS 1.1: Upgrade to 1.1.0-10053 or above
- BeePhotos for BeeStation OS 1.0: Upgrade to 1.0.2-10026 or above
- Synology Photos 1.7 for DSM 7.2: Upgrade to 1.7.0-0795 or above.
- Synology Photos 1.6 for DSM 7.2: Upgrade to 1.6.2-0720 or above.
QNAP, another Taiwanese NAS device manufacturer, patched two more critical zero-days exploited during the hacking contest within a week (in the company’s SMB Service and Hybrid Backup Sync disaster recovery and data backup solution).
While Synology and QNAP hurried out security updates, vendors are given 90 days until Trend Micro’s Zero Day Initiative releases details on bugs disclosed during the contest and usually take their time to release patches.
This is likely because NAS devices are commonly used to store sensitive data by both home and enterprise customers, and they’re also often exposed to Internet access for remote access. However, this makes them vulnerable targets for cybercriminals who exploit weak passwords or vulnerabilities to breach the systems, steal data, encrypt files, and extort owners by demanding ransoms to provide access to the lost files.
As Midnight Blue security researchers who demoed the Synology zero-days during Pwn2Own Ireland 2024 told cybersecurity journalist Kim Zetter (who first reported on the security updates), they found Internet-exposed Synology NAS devices on the networks of police departments in the U.S. and Europe, as well as critical infrastructure contractors from South Korea, Italy, and Canada.
QNAP and Synology have warned customers for years that devices exposed online are being targeted by ransomware attacks. For instance, eCh0raix ransomware (also known as QNAPCrypt), which first surfaced in June 2016, has been targeting such systems regularly, with two large-scale ones reported in June 2019 (against QNAP and Synology devices) and in June 2020 standing out.
In more recent attack waves, threat actors have also used other malware strains (including DeadBolt and Checkmate ransomware) and various security vulnerabilities to encrypt Internet-exposed NAS devices.