Synology and QNAP hurry out patches for zero-days exploited at Pwn2Own

Posted on by Robin Edgar

S

Synology, a Taiwanese network-attached storage (NAS) appliance maker, patched two critical zero-days exploited during last week’s Pwn2Own hacking competition within days.

Midnight Blue security researcher Rick de Jager found the critical zero-click vulnerabilities (tracked together as CVE-2024-10443 and dubbed RISK:STATION) in the company’s Synology Photos and BeePhotos for BeeStation software.

As Synology explains in security advisories published two days after the flaws were demoed at Pwn2Own Ireland 2024 to hijack a Synology BeeStation BST150-4T device, the security flaws enable remote attackers to gain remote code execution as root on vulnerable NAS appliances exposed online.

“The vulnerability was initially discovered, within just a few hours, as a replacement for another Pwn2Own submission. The issue was disclosed to Synology immediately after demonstration, and within 48 hours a patch was made available which resolves the vulnerability,” Midnight Blue said.

“However, since the vulnerability has a high potential for criminal abuse, and millions of devices are affected, a media reach-out was made to inform system owners of the issue and to stress the point that immediate mitigative actions are required.”

Synology says it addressed the vulnerabilities in the following software releases; however, they’re not automatically applied on vulnerable systems, and customers are advised to update as soon as possible to block potential incoming attacks:

  • BeePhotos for BeeStation OS 1.1: Upgrade to 1.1.0-10053 or above
  • BeePhotos for BeeStation OS 1.0: Upgrade to 1.0.2-10026 or above
  • Synology Photos 1.7 for DSM 7.2: Upgrade to 1.7.0-0795 or above.
  • Synology Photos 1.6 for DSM 7.2: Upgrade to 1.6.2-0720 or above.

QNAP, another Taiwanese NAS device manufacturer, patched two more critical zero-days exploited during the hacking contest within a week (in the company’s SMB Service and Hybrid Backup Sync disaster recovery and data backup solution).

[…]

Source: Synology hurries out patches for zero-days exploited at Pwn2Own

Usually the POC is given to the company around 30 days before disclosure. That is what makes it ‘responsible disclosure’.

Robi nEdgar sitting in a chair

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

 robin@edgarbv.com  https://www.edgarbv.com