Synology warns NAS users over multiple critical vulnerabilities

Four vulnerabilities have been discovered

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Network-attached storage (NAS) specialist Synology has warned its customers that some of its products are vulnerable to a number of critical vulnerabilities.

“Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM),” said the firm in an advisory.

The issues were discovered in Netatalk, an open source implementation of theAppleFiling Protocol, transforming Unix-likeoperating systemsintofile servers.

Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.

No patch yet

The Netatalk team fixed the issues roughly a month ago, with version 3.1.1.,BleepingComputerreported. However, Synology says that releases for some of its affected endpoints are yet to roll out.

In total, four flaws seem to be plaguing Synology’sNAS appliances, all of which received a severity score of 9.8/10.

Synology didn’t provide any deadlines by which it expects thepatchesto be issued, butBleepingComputer says that the company usually delivers on such things within three months of the vulnerability being disclosed.

Furthermore, NAS appliances running DiskStation Manager (DSM) 7.1.or later have already been patched, it was said.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Latest reviews of Network attached storage (NAS)>Asustor NAS devices hit by Deadbolt ransomware attack>QNAP NAS owners are under attack once again

Less than a week ago, QNAP, another NAS vendor, discovered vulnerabilities in its products.

Discovered in Apache HTTP Server 2.4.52 and earlier, the bugs could be used to perform low complexity attacks that don’t require victim interaction.

QNAP warned NAS owners to apply known mitigations, advising them to keep the default value “1M” for LimitXMLRequestBody, and disable mod_sed, as these two things effectively plug the holes.

QNAP also said the mod_sed in-process content filter is disabled by default in Apache HTTP Server on NAS devices running the QTS operating system.

“CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod_sed in Apache HTTP Server on their QNAP device,” the company said at the time.

ViaBleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Should your VPN always be on?

This new malware utilizes a rare programming language to evade traditional detection methods

This new phishing strategy utilizes GitHub comments to distribute malware