Network-attached storage (NAS (opens in new tab)) specialist Synology has warned its customers that some of its products are vulnerable to a number of critical vulnerabilities.
"Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM)," said the firm in an advisory.
The issues were discovered in Netatalk, an open source implementation of the Apple Filing Protocol, transforming Unix-like operating systems into file servers.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
No patch yet
The Netatalk team fixed the issues roughly a month ago, with version 3.1.1., BleepingComputer reported. However, Synology says that releases for some of its affected endpoints are yet to roll out.
In total, four flaws seem to be plaguing Synology’s NAS appliances (opens in new tab), all of which received a severity score of 9.8/10.
Synology didn’t provide any deadlines by which it expects the patches to be issued, but BleepingComputer says that the company usually delivers on such things within three months of the vulnerability being disclosed.
Furthermore, NAS appliances running DiskStation Manager (DSM) 7.1.or later have already been patched, it was said.
> Latest reviews of Network attached storage (NAS) (opens in new tab)
> Asustor NAS devices hit by Deadbolt ransomware attack (opens in new tab)
> QNAP NAS owners are under attack once again (opens in new tab)
Less than a week ago, QNAP, another NAS vendor, discovered vulnerabilities in its products.
Discovered in Apache HTTP Server 2.4.52 and earlier, the bugs could be used to perform low complexity attacks that don’t require victim interaction.
QNAP warned NAS owners to apply known mitigations, advising them to keep the default value "1M" for LimitXMLRequestBody, and disable mod_sed, as these two things effectively plug the holes.
QNAP also said the mod_sed in-process content filter is disabled by default in Apache HTTP Server on NAS devices running the QTS operating system.
"CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod_sed in Apache HTTP Server on their QNAP device,” the company said at the time.
Via BleepingComputer (opens in new tab)