Synology warns of critical Netatalk bugs in multiple products

LASER_oneXM

Level 37
Thread author
Verified
Top poster
Well-known
Feb 4, 2016
2,520
Synology has warned customers that some of its network-attached storage (NAS) appliances are exposed to attacks exploiting multiple critical Netatalk vulnerabilities.


"Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM)," Synology said.

Patches coming within 90 days​

The NCC Group's EDG team exploited the security flaw (tracked as CVE-2022-23121 and rated with a 9.8/10 severity score) to achieve remote code execution without authentication on a Western Digital PR4100 NAS running My Cloud OS firmware during the Pwn2Own contest.

Synology highlighted three other bugs in today's warning (i.e., CVE-2022-23125, CVE-2022-23122, CVE-2022-0194) that have also received identical severity ratings.
They're also enabling unauthenticated attackers to execute arbitrary code remotely on unpatched devices.

Even though the Netatalk development team has released security patches to address the flaws last month, Synology says that releases for some of the impacted products are still "ongoing."