Security researcher Rick de Jager (@rdjgr) at Midnight Blue has discovered a zero-day vulnerability in the Synology® DiskStation and BeeStation product line, dubbed RISK:STATION and registered as CVE-2024-10443. The vulnerability was demonstrated at Pwn2Own Ireland 2024, and resides in the SynologyPhotos component, which is enabled on most devices.
Owners of these products are strongly recommended to immediately install the available patch, as outlined on this page, in order to minimize the risk of falling victim to ransomware, information theft, or other malicious activity. Read the mitigations section and FAQ below to ensure the safety of your device.
Midnight Blue achieved a 3rd place at the Pwn2Own Ireland 2024 hacking competition, demonstrating five zero-day vulnerabilities in routers, printers, security cameras, and Network Attached Storage (NAS) devices. One of these vulnerabilities is RISK:STATION, an unauthenticated zero-click vulnerability allowing attackers to obtain root-level code execution on the popular Synology DiskStation and BeeStation NAS devices, affecting millions of devices.
The vulnerability was initially discovered, within just a few hours, as a replacement for another Pwn2Own submission. The issue was disclosed to Synology immediately after demonstration, and within 48 hours a patch was made available which resolves the vulnerability. Official guidance from Synology can be found on their advisories page. However, since the vulnerability has a high potential for criminal abuse, and millions of devices are affected, a media reach-out was made to inform system owners of the issue and to stress the point that immediate mitigative actions are required.
For this vulnerability, CVE-2024-10443 was issued. Also, the following vulnerability identifiers were issued by Synology. In addition, ZDI uses reference ZDI-CAN-25623 and Synology uses the identifiers listed below.
Synology BeeStation: A vulnerability in BeePhotos allows remote attackers to execute arbitrary code.
Critical
1.1.x family: all below 1.1.0-10053
1.0.x family: all below 1.0.2-10026
Synology DiskStation: A vulnerability in Synology Photos allows remote attackers to execute arbitrary code.
Critical
1.7.x family: all below 1.7.0-0795
1.6.x family: all below 1.6.2-0720
Technical details are currently under embargo until sufficient time has passed to allow for patching in order to minimize chances of widespread abuse. Midnight Blue is currently unaware of the firmware version in which the vulnerability was introduced and as such assumes all versions prior to the patch are vulnerable. This information is subject to change should further details become available, but it is recommended to immediately apply the patch regardless of one's current firmware version. Alternative mitigation strategies are provided below.
The impact of a vulnerability is partially determined by the number of exposed devices. In the case of RISK:STATION, many NAS owners configure their routers to use port forwarding in order to be able to access their NAS from the internet. Synology provides a direct QuickConnect subdomain for each device for convenient access and such devices are trivially found and reached by attackers. Services like Shodan and Censys report hundreds of thousands of Synology NAS devices exposed this way.
However, even systems that are not directly exposed are at risk. Synology offers a cloud-based QuickConnect feature, which allows the NAS to connect to the Synology Cloud. A system owner may then use a dedicated non-direct QuickConnect subdomain to access the NAS through the cloud - the connection is forwarded by Synology to the local device, passing through NAT routers and firewalls without the need for port forwarding. This also exposes non-port-forwarded devices to attackers.
Synology requests a Let's Encrypt certificate for all the devices that use the QuickConnect feature. All certificates released by Let's Encrypt are publicly retrievable through a program called Certificate Transparency. This is a widely known method of identifying subdomains [1] [2] [3]. By querying the public CRT database, Midnight Blue was able to retrieve millions of QuickConnect subdomains.
Furthermore, the subdomain names are usually chosen by the system owner at setup time, and as such are very telling about the kind of organisation to which the device belongs. A cursory investigation by Midnight Blue found police departments, law firms, ship operators, and industrial subcontractors among exposed Synology NAS operators. Attackers could potentially use this information to prioritize targets.
Based on random sampling of recently created QuickConnect domains, Midnight Blue found roughly 80% to be live and accessible and about half of the devices to have the SynologyPhotos / BeePhotos component enabled. As such, Midnight Blue assesses between one and two million devices are currently simultaneously affected and exposed.
Since the vulnerability resides in the photos component, installing the latest patch for SynologyPhotos or BeePhotos released by Synology (versions below) should fully remediate the issue. Alternatively, disabling the SynologyPhotos / BeePhotos component deactivates the vulnerable code, mitigating the issue. Lastly, disabling port forwarding to the NAS, blocking ports 5000 and 5001 and disabling QuickConnect also prevents the vulnerability from being exploited over the internet, but would leave the device vulnerable from within the local network.
Synology DiskStation:
SynologyPhotos version 1.7.x family: version 1.7.0-0795 resolves the issue.
SynologyPhotos version 1.6.x family: version 1.6.2-0720 resolves the issue.
Synology BeeStation:
BeePhotos version 1.1.x family: version 1.1.0-10053 resolves the issue
BeePhotos version 1.0.x family: version 1.0.2-10026 resolves the issue
Below we maintain an up-to-date timeline of the events surrounding the RISK:STATION Coordinated Vulnerability Disclosure Process. The Dutch NCSC’s CVD guidelines stipulate a 3-month embargo period for software vulnerabilities, which allows stakeholders and asset owners to mitigate the vulnerability. As such, while we will eventually disclose technical details of the vulnerability, this will not happen before 23-01-2025.
23-10-2024
Started investigating Synology BeeStation with renewed strategy
23-10-2024
Finalized exploit, demonstrated successfully at Pwn2Own Ireland 2024
Communicated advisory to Synology
1-11-2024
Midnight Blue issues Public Advisory
TBD 2025
Release of technical details
If you are running a Synology DiskStation with SynologyPhotos or a Synology BeeStation with BeePhotos, you probably are. Check the version numbers to ensure you are using a patched version, and immediately install a patch if not.
To the best of our knowledge, RISK:STATION is not being abused in the wild yet. However, with the patch available, it is likely to be reverse engineered by threat actors as has happened in the past with different vulnerabilities. As such, it is wise to assume abuse of the vulnerability to be around the corner.
Due to the lack of introspection and forensics capabilities for Synology NAS devices this is hard to know with certainty. When in doubt, disconnect your device since the patch does not remove persistent backdoor access which might have been installed by an attacker.
RISK:STATION was discovered as part of the Pwn2Own competition, where it is immediately disclosed to the vendor. In addition, technical details are withheld until at least 3 months after initial disclosure to Synology, in line with commonly accepted practices. However, threat actors have historically shown the ability to quickly reproduce vulnerabilities through patch reverse-engineering or independent research. Due to the potential impact and number of affected devices, the best approach for risk minimization consisted of public outreach to stimulate NAS owners to apply the available patch.
There are various configuration options and best practices that you can employ to improve the resilience of your device or network against attacks. For instance, only allow VPN access to your NAS and disable direct port forwarding and QuickConnect. However, which further steps to take largely depends on your security needs. Contact us if you're interested in our bespoke security consultancy services.
We believe that systems with automatic updates enabled should usually have automatically received the patch. However, we strongly encourage you to manually verify the latest version is indeed installed on the system, and update manually if this would not be the case.
Yes, you are free to include the RISK:STATION logo in any works referencing these issues. Rights waved via CC0 license. Feel free to grab the image from the top of the page.
All items