Bugs and security holes in software aren’t exactly unusual, but there are times when they become so severe that they warrant special attention, immediate fixes, and fast rollouts. That is apparently the case here with Synology‘s NAS boxes, which was recently discovered to have a critical security flaw related to its photo and blogging features that could practically hand hackers a key to the data contained in those boxes. Synology has patched up those holes last week and the strongly recommended updates are rolling out to users now.
Most of the recent security patches involve Photo Station, a part of the Linux-based DiskStation Manager (DSM) operating system that lets users create photo albums and blogs. These can later be accessed remotely like a regular website or cloud service via Synology drive’s public IP addresses.
The problem was that there was very little in the way between the NAS and hackers. In particular, Photo Station doesn’t properly check the input it receives from outside the network to only allow for safe and valid commands. And even when Photo Station isn’t accessible remotely, another CSRF (cross-site request forgery) vulnerability could let a hacker trick anyone who happens to be on the same network as the Synology NAS drives to click on links that, in turn, would execute malicious code on another website. In both cases, a hacker could get access to all data stored on the NAS and not just those photos.
Synology has fixed these security flaws in a patch to Photo Station last week, which includes other security fixes to the app as well. Synology also patched up DiskStation Manager itself to plug up a similar CSRF hole. Owners of Synology’s NAS devices are strongly encouraged to update to Photo Station 6.3-2945 and DSM 5.2-5565 Update 1 as soon as they can.