A huge security flaw has been detected and corrected by teams from Synology, the manufacturer of NAS (Network Attached Storage) located in Taiwan. It is highly recommended to update the utilities and hardware.
The flaw, classified in maximum severity, could have been exploited without requiring administrator privileges and caused great damage.
A maximum severity flaw discovered
Founded by two former Microsoft employees in 2000, Synology is a company that provides NAS solutions, autonomous storage devices that can be connected to a professional or private network via the Internet. These devices and the software associated with them are therefore used to store large amounts of data and prevent their loss thanks to a private cloud. In other words, these are obvious targets for hackers who, by infiltrating, could recover sensitive, confidential or totally personal files.
On January 2, Synology announced that a vulnerability rated 10/10 for its dangerousness had been detected in the VPN Plus Server software. It allowed hackers to attack remotely and execute arbitrary commands through unspecified vectors. In other words, it could very easily be exploited without requiring great skills. The problem has obviously been put at the top of the priority list.
Already ancient history?
This type of vulnerability can lead to an intrusion, data corruption, cause system crashes and prevent code from executing correctly. It was therefore necessary to intervene quickly, which was done. Recently, fixes have been released, and customers are highly recommended to update VPN Plus Server to the latest version of SRM (Synology Router Manager). VPN server versions 1.3 and 1.2 are affected by updates 1.4.4-0635 (1.3) and 1.4.3-0534 (1.2).
On December 22, Synology fixed another critical security flaw in Synology Router Manager. In particular, it allowed the remote execution of arbitrary commands, the launch of denial of service attacks (DDoS) or the reading of stored files. Now, it seems that these critical flaws, both on the side of VPN Plus Server and Synology Router Manager, are a thing of the past. Of course, Synology will continue to monitor its services and products, because absolute security does not exist.
Source : BleepingComputer
9