Security Experts:

Synology Patches Serious Flaws in NAS Software

Network attached storage (NAS) company Synology has released updates for its Video Station and Download Station applications to patch several vulnerabilities identified by Dutch security company Securify.

Researchers uncovered a total of three vulnerabilities in Synology Video Station, a piece of software that allows users of Synology DiskStation NAS devices to easily organize and watch their videos.

One of the flaws is a command injection affecting the subtitle.cgi CGI script. The vulnerability can be exploited to execute arbitrary commands with root privileges, and compromise DiskStation NAS devices and all the data stored on them. If the “public share” feature is enabled (enabled by default), the vulnerability can be exploited remotely by an unauthenticated attacker.

Han Sahin, co-founder of Securify, told SecurityWeek that this high risk vulnerability can be exploited even if the public share feature is disabled by brute-forcing the parameters of the share URL. This is possible because there are no cryptographically strong random numbers

included in the vulnerable subtitle.cgi request. The expert has pointed out that the vulnerability is easiest to exploit in scenarios where users explicitly share a video with other users.

Securify has also identified two blind SQL injection vulnerabilities in Video Station. The flaws, found in the watchstatus.cgi and audiotrack.cgi CGI scripts, can be exploited to access the application’s PostgreSQL database server.

Sahin says these SQL injections have been rated “medium” because they can only be exploited by an authenticated attacker.

The Video Station vulnerabilities were reported to Synology this summer. The vendor patched the audiotrack.cgi issue with the release of version 1.5-0757, but the other two issues were initially missed and they were only fixed later with the release of version 1.5-0763.

Securify also found multiple high severity persistent cross-site scripting (XSS) bugs in Download Station, an application that enables DiskStation devices to serve as a download center. Users can utilize Download Station to download files from BitTorrent, file hosting and other services.

Researchers discovered that the feature designed for creating download tasks by uploading files (e.g. a torrent file) exposes users to XSS attacks. Malicious actors can execute an XSS payload in the context of the application if they can trick victims into loading a specially crafted download file. A proof-of-concept (PoC) video from Securify shows how a malicious torrent file can be used to load an arbitrary website in an iframe.

A similar XSS was found in the feature that allows users to create download tasks by entering a URL or by using the BT Search feature to find torrent files. In vulnerable versions of Download Station, an attacker can deliver an XSS payload via a maliciously crafted URL.

Attackers can exploit these vulnerabilities to steal users’ session tokens, launch phishing attacks, redirect victims to arbitrary sites, and perform actions on their behalf.

The file upload vulnerability in Download Station was patched with the release of version 3.5-2962, and the URL issue was addressed several weeks later with the release of version 3.5-2967.

“Synology fixes reported security issues very fast. The attack surface of NAS software is however very big (almost uncontrollable) and that is why instances of similar issues are easily missed. Users should upgrade to the latest version of Download (v 3.5-2967) and Video Station (v 1.5-0763),” Sahin said.

Synology told SecurityWeek that it released the updates within a couple of days after receiving the vulnerability report.

“The issues have been resolved by applying the most recent application updates and operating system updates. For some time our systems have had a setting available to users to protect against cross-site attacks and as of the latest update this setting is now enabled by default. Synology takes security very seriously and we are constantly updating our applications to make sure our users are protected,” Synology said.

This was not the first time Securify discovered vulnerabilities in Synology software. In May, the security firm published advisories for flaws plaguing Synology DiskStation Manager, and Synology PhotoStation.

*Updated with statement from Synology

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.