Synology, a Taiwanese network-attached storage (NAS) appliance maker, has acknowledged a critical security flaw impacting millions of its DiskStation and BeePhotos devices. The vulnerability, tracked as CVE-2024-10443 and dubbed RISK:STATION, was demonstrated at the Pwn2Own Ireland 2024 hacking contest by security researcher Rick de Jager.
RISK:STATION is an unauthenticated zero-click vulnerability that allows attackers to obtain root-level code execution on affected devices without requiring any user interaction. This enables hackers to steal sensitive data and plant additional malware.
The flaw affects several Synology products, including BeePhotos for BeeStation OS 1.0 and 1.1, as well as Synology Photos for DSM 7.2. Users are advised to upgrade their devices to the latest versions or patch levels to address the issue.
QNAP, a rival NAS appliance manufacturer, has also addressed three critical security flaws affecting its QuRouter, SMB Service, and HBS 3 Hybrid Backup Sync products. While there is no evidence that these vulnerabilities have been exploited in the wild, users are urged to apply the patches as soon as possible due to the high value of NAS devices being targeted by ransomware attacks.
Users can check their device versions and patch levels on Synology’s support website to determine if they need to take action. It is essential for users to stay vigilant and keep their NAS devices up-to-date with the latest security patches to minimize potential risks.
Source: https://thehackernews.com/2024/11/synology-urges-patch-for-critical-zero.html