Security Experts:

Synology Fixes XSS, Command Injection Vulnerabilities in NAS Software

Taiwan-based network attached storage (NAS) company Synology has released software updates to address several vulnerabilities reported by Dutch security company Securify.

One of the flaws uncovered by researchers is a reflected cross-site scripting (XSS) bug in Synology DiskStation Manager (DSM), the operating system that runs on the company’s DiskStation and RackStation appliances.Synology NAS

“This issue allows attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials if available, performing arbitrary actions on their behalf but also performing arbitrary redirects to potential malicious websites,” Securify wrote in its advisory.

In order to exploit the vulnerability, a malicious actor needs to trick the victim into clicking on a specially crafted link. This allows the attacker to execute arbitrary code in the user’s web browser.

The vulnerability has been successfully reproduced on Synology DiskStation Manager version 5.2-5565, released on May 12, and it has been addressed with the release of version 5.2-5565 Update 1 on May 21. The latest release of Synology DiskStation Manager also updates PHP to version 5.5.25 in order to fix several vulnerabilities.

Securify researchers have also identified vulnerabilities in Synology Photo Station, an online photo album that allows DSM users to manage and share photos and videos.

One of the issues is a command injection vulnerability that can be exploited to execute arbitrary commands with the privileges of the web server. The bug allows an attacker to compromise the NAS appliance and the data stored on it.

The flaw is caused by improper user input sanitization and the lack of protection against cross-site request forgery (CSRF) attacks.

Han Sahin, co-founder of Securify, has classified this vulnerability’s severity as “medium” due to the fact that remote exploitation requires social engineering. However, the expert has pointed out that such weaknesses in NAS appliances and routers are often targeted by malicious actors in so-called pharming attacks that leverage CSRF vulnerabilities.

The vulnerability has been tested on Synology Photo Station version 6.2-2858 and it was patched on May 21 with the release of version 6.3-2945.

Version 6.3-2945 of Synology Photo Station also resolves multiple reflected XSS vulnerabilities reported by Securify. The security firm has rated these issues as being of high severity.

Sahin has commended Synology for the way it has handled the vulnerability reports. The expert told SecurityWeek that the flaws were addressed in just five days after being reported, possibly thanks to the fact that Securify provided Synology’s security team the exact location of the bugs in the code.

Related: EMC Patches Flaws in M&R, Secure Remote Services

Related: Pinterest, Yammer iOS Apps Vulnerable to MitM Attacks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.