Millions of Synology NAS devices vulnerable to zero-click attacks (CVE-2024-10443)
Synology has released fixes for an unauthenticated “zero-click” remote code execution flaw (CVE-2024-10443, aka RISK:STATION) affecting its popular DiskStation and BeeStation network attached storage (NAS) devices.
About CVE-2024-10443
CVE-2024-10443 was discovered by Rick de Jager, a security researcher at Midnight Blue, and has been exploited at the Pwn2Own Ireland 2024 hacking competition ten days ago.
The specifics of CVE-2024-10443 are under wraps for the moment, but we know that it may allow unauthenticated attackers to achieve root-level code execution on vulnerable devices.
The vulnerability resides in the Synology Photos and BeePhotos apps.
Synology Photos is an all-in-one photo / album management app for Synology DiskStation NAS devices, which are commonly used in a home / small office and enterprise environments. It is not installed by default.
BeePhotos is installed by default on Synology BeeStation, a line of “simplified” NAS devices aimed at the consumer market (i.e., home users).
“The issue was disclosed to Synology immediately after demonstration, and within 48 hours a patch was made available which resolves the vulnerability,” Midnight Blue shared.
Patch ASAP!
While they are not aware of the vulnerability being exploited in the wild, Midnight Blue researchers say that CVE-2024-10443 has a high potential for criminal abuse and that patches might be quickly reverse engineered by threat actors, allowing for the creation and deployment of exploits.
“We believe that systems with automatic updates enabled should usually have automatically received the patch. However, we strongly encourage you to manually verify the latest version is indeed installed on the system, and update manually if this would not be the case,” they noted, and advised users to plug the hole by upgrading to:
- Synology Photos versions 1.7.0-0795 and 1.6.2-0720 or above (for DiskStation Manager v7.2)
- BeePhotos versions 1.1.0-10053 and 1.0.2-10026 or above (for BeeStation OS v1.1 and v1.0, respectively)
While Synology does not lay out potential mitigations, Midnight Blue says that disabling the SynologyPhotos / BeePhotos component deactivates the vulnerable code and mitigates the issue.
NAS devices that are connected to the internet directly (through port forwarding) or to the Synology Cloud via Synology’s QuickConnect service are open to attack.
“A system owner may then use a dedicated non-direct QuickConnect subdomain to access the NAS through the cloud – the connection is forwarded by Synology to the local device, passing through NAT routers and firewalls without the need for port forwarding,” the researchers explained.
Based on Shodan and Censys searches and a random sampling of recently created QuickConnect domains, they believe that “between one and two million devices are currently simultaneously affected and exposed [to attack].”
And while disabling port forwarding to the NAS, blocking ports 5000 and 5001 and disabling QuickConnect prevents the vulnerability from being exploited over the internet, vulnerable devices could still be exploited within the local network, they added.
“Owners of [vulnerable] products are strongly recommended to immediately install the available patch (…) to minimize the risk of falling victim to ransomware, information theft, or other malicious activity.