Jump to content
  • Synology hurries out patches for zero-days exploited at Pwn2Own

    Karlston

    • 228 views
    • 3 minutes
     Share


    • 228 views
    • 3 minutes

    Synology, a Taiwanese network-attached storage (NAS) appliance maker, patched two critical zero-days exploited during last week's Pwn2Own hacking competition within days.

     

    Midnight Blue security researcher Rick de Jager found the critical zero-click vulnerabilities (tracked together as CVE-2024-10443 and dubbed RISK:STATION) in the company's Synology Photos and BeePhotos for BeeStation software.

     

    As Synology explains in security advisories published two days after the flaws were demoed at Pwn2Own Ireland 2024 to hijack a Synology BeeStation BST150-4T device, the security flaws enable remote attackers to gain remote code execution as root on vulnerable NAS appliances exposed online.

     

    "The vulnerability was initially discovered, within just a few hours, as a replacement for another Pwn2Own submission. The issue was disclosed to Synology immediately after demonstration, and within 48 hours a patch was made available which resolves the vulnerability," Midnight Blue said.

     

    "However, since the vulnerability has a high potential for criminal abuse, and millions of devices are affected, a media reach-out was made to inform system owners of the issue and to stress the point that immediate mitigative actions are required."

     

    Synology says it addressed the vulnerabilities in the following software releases; however, they're not automatically applied on vulnerable systems, and customers are advised to update as soon as possible to block potential incoming attacks:

     

    • BeePhotos for BeeStation OS 1.1: Upgrade to 1.1.0-10053 or above
    • BeePhotos for BeeStation OS 1.0: Upgrade to 1.0.2-10026 or above
    • Synology Photos 1.7 for DSM 7.2: Upgrade to 1.7.0-0795 or above.
    • Synology Photos 1.6 for DSM 7.2: Upgrade to 1.6.2-0720 or above.

     

    QNAP, another Taiwanese NAS device manufacturer, patched two more critical zero-days exploited during the hacking contest within a week (in the company's SMB Service and Hybrid Backup Sync disaster recovery and data backup solution).

     

    While Synology and QNAP hurried out security updates, vendors are given 90 days until Trend Micro's Zero Day Initiative releases details on bugs disclosed during the contest and usually take their time to release patches.

     

    This is likely because NAS devices are commonly used to store sensitive data by both home and enterprise customers, and they're also often exposed to Internet access for remote access. However, this makes them vulnerable targets for cybercriminals who exploit weak passwords or vulnerabilities to breach the systems, steal data, encrypt files, and extort owners by demanding ransoms to provide access to the lost files.

     

    As Midnight Blue security researchers who demoed the Synology zero-days during Pwn2Own Ireland 2024 told cybersecurity journalist Kim Zetter (who first reported on the security updates), they found Internet-exposed Synology NAS devices on the networks of police departments in the U.S. and Europe, as well as critical infrastructure contractors from South Korea, Italy, and Canada.

     

    QNAP and Synology have warned customers for years that devices exposed online are being targeted by ransomware attacks. For instance, eCh0raix ransomware (also known as QNAPCrypt), which first surfaced in June 2016, has been targeting such systems regularly, with two large-scale ones reported in June 2019 (against QNAP and Synology devices) and in June 2020 standing out.

     

    In more recent attack waves, threat actors have also used other malware strains (including DeadBolt and Checkmate ransomware) and various security vulnerabilities to encrypt Internet-exposed NAS devices.

     

    Source


    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every day for many years.

    2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

    RIP Matrix | Farewell my friend  :sadbye:


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...