Synology warns NAS users over multiple critical vulnerabilities

Data Breach
(Image credit: Shutterstock)

Network-attached storage (NAS) specialist Synology has warned its customers that some of its products are vulnerable to a number of critical vulnerabilities. 

"Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM)," said the firm in an advisory.

The issues were discovered in Netatalk, an open source implementation of the Apple Filing Protocol, transforming Unix-like operating systems into file servers.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

No patch yet

The Netatalk team fixed the issues roughly a month ago, with version 3.1.1., BleepingComputer reported. However, Synology says that releases for some of its affected endpoints are yet to roll out.

In total, four flaws seem to be plaguing Synology’s NAS appliances, all of which received a severity score of 9.8/10.

Synology didn’t provide any deadlines by which it expects the patches to be issued, but BleepingComputer says that the company usually delivers on such things within three months of the vulnerability being disclosed.

Furthermore, NAS appliances running DiskStation Manager (DSM) 7.1.or later have already been patched, it was said.

Less than a week ago, QNAP, another NAS vendor, discovered vulnerabilities in its products. 

Discovered in Apache HTTP Server 2.4.52 and earlier, the bugs could be used to perform low complexity attacks that don’t require victim interaction.

QNAP warned NAS owners to apply known mitigations, advising them to keep the default value "1M" for LimitXMLRequestBody, and disable mod_sed, as these two things effectively plug the holes.

QNAP also said the mod_sed in-process content filter is disabled by default in Apache HTTP Server on NAS devices running the QTS operating system.

"CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod_sed in Apache HTTP Server on their QNAP device,” the company said at the time.

Via BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.