WARNING: VULNERABILITY IN MULTIPLE SYNOLOGY DSM PRODUCTS & VERSIONS ENABLES REMOTE DENIAL OF SERVICE ATTACKS, SENSITIVE INFORMATION EXPOSURE, AND PRIVILEGE ESCALATION

Published : 05/12/2024

Reference:
Advisory #2024-283

Version:
1.0

Affected software:
DiskStation Manager (7.2.2, 7.2.1, 7.1)
DiskStation Manager Unified Controller 3.1

Type:
Denial of service, data disclosure, privilege escalation

CVE/CVSS:
Not available

Sources

https://www.synology.com/en-global/security/advisory/Synology_SA_24_27

Risks

Unknown vulnerability in various Synology products used for managing network-attached storage devices allows:

Remote attackers to conduct denial-of-service (DoS) attacks.
Remote attackers to obtain sensitive information.
Remote authenticated users to escalate privileges without consent.

Furthermore, the vulnerability has a high impact on confidentiality, integrity, and availability.

Description

Successful exploitation of this vulnerability can result in:

Data loss - exposure of sensitive data could lead to identity theft or corporate espionage.
Disruption of services - DoS attacks could cause systems to be offline, impacting business continuity and service delivery.
Full system compromise - privilege escalation can give attackers complete control over the system, making it easier to execute further malicious actions such as deploying ransomware or altering system settings.

In the event of a compromise of DiskStation Manager Unified Controller (DSMUC), the repercussions would be much more severe due to the specific nature of this product. DSMUC 3.1 is typically used in enterprise or large-scale environments, posing additional risks compared to the standard DSM due to its broader use cases and deployment.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident#:~:text=Opening%20hours,is%20automatically%20acknowledged%20within%20minutes.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://www.cloudflare.com/learning/ddos/glossary/denial-of-service

https://www.hackerone.com/vulnerability-management/information-disclosure-deep-dive

https://www.proofpoint.com/uk/threat-reference/privilege-escalation