14 DAY TRIAL // Security flaws affecting software on network attached storage (NAS) devices from Synology can be exploited by attackers to access data on the storage units or to point users to malicious websites.
NAS appliances are generally used as file servers in either home or corporate environments. Their purpose is to share data with multiple clients across the network, each with their own set of privileges.
Improper user input validation compromises Photo Station
Netherlands-based security company Securify reported several vulnerabilities in Synology Photo Station, an online photo album handled via the NAS DiskStation Manager (DSM) software component.
A command injection flaw can be leveraged for execution of arbitrary commands with web server privileges, giving an attacker full access to the stored files. The researchers discovered that the operating system commands used by Photo Station to call other Synology applications are not filtered properly and arbitrary commands can be injected by a malicious user.
Securify also uncovered multiple reflected cross-site scripting (XSS) glitches that could be taken advantage of to collect session tokens or login credentials; moreover, a threat actor could use them for redirects to malicious websites.
The researchers found the flaws on version 6.2-2858 of Synology Photo Station. They created and published proof-of-concept (PoC) exploit code that demonstrates the security holes. Synology has released a new version (6.3-2945) that fixes the problems.
Flaw in DiskStation Manager allows stealing user credentials
Another reflected XSS has been discovered in DiskStation Manager 5.2-5565, the operating system powering the Synology NAS devices.
The risk associated with the issue consists in stealing user credentials or session tokens as well as tricking users into landing on malicious pages that could deliver malware.
In a security advisory, Security researcher Han Sahin says that the flaw “is introduced in entry.cgi due to setting an incorrect response content type. The response states that the returned data is HTML. However, it actually returns JSON. All compound JSON parameters echoed into the application's response without input validation result in reflected Cross-Site Scripting with an incorrect response type such as HTML.”
If someone is fooled into visiting a URL devised by the attacker, a malicious script can be executed in the victim’s web browser.
Synology addressed this vulnerability, too, by releasing an update for DiskStation Manager.