Synology, a Taiwanese network-attached storage (NAS) appliance maker, patched two critical zero-days exploited during last week's Pwn2Own hacking competition within days.
Midnight Blue security researcher Rick de Jager found the critical zero-click vulnerabilities (tracked together as
CVE-2024-10443 and dubbed
RISK:STATION) in the company's Synology Photos and BeePhotos for BeeStation software.
As Synology explains in
security advisories published two days after the flaws were
demoed at Pwn2Own Ireland 2024 to hijack a Synology BeeStation BST150-4T device, the security flaws enable remote attackers to gain remote code execution as root on vulnerable NAS appliances exposed online.
"The vulnerability was initially discovered, within just a few hours, as a replacement for another Pwn2Own submission. The issue was disclosed to Synology immediately after demonstration, and within 48 hours a patch was made available which resolves the vulnerability,"
Midnight Blue said.
"However, since the vulnerability has a high potential for criminal abuse, and millions of devices are affected, a media reach-out was made to inform system owners of the issue and to stress the point that immediate mitigative actions are required."
Synology says it addressed the vulnerabilities in the following software releases; however, they're not automatically applied on vulnerable systems, and customers are advised to update as soon as possible to block potential incoming attacks:
- BeePhotos for BeeStation OS 1.1: Upgrade to 1.1.0-10053 or above
- BeePhotos for BeeStation OS 1.0: Upgrade to 1.0.2-10026 or above
- Synology Photos 1.7 for DSM 7.2: Upgrade to 1.7.0-0795 or above.
- Synology Photos 1.6 for DSM 7.2: Upgrade to 1.6.2-0720 or above.
