Synology hurries out patches for zero-days exploited at Pwn2Own

Synology hurries out patches for zero-days exploited at Pwn2Own

November 1, 2024 at 12:40PM

Synology quickly addressed two critical zero-click vulnerabilities found in its Synology Photos and BeePhotos software during the Pwn2Own 2024 competition. Users are urged to update their systems to prevent remote code execution attacks. Similar vulnerabilities were also patched by QNAP, highlighting ongoing security risks for exposed NAS devices.

**Meeting Takeaways:**

1. **Zero-Day Vulnerabilities**:
– Synology patched two critical zero-click vulnerabilities in its Synology Photos and BeePhotos for BeeStation software, identified during the Pwn2Own hacking competition.
– The vulnerabilities allow remote code execution on NAS devices that are exposed online.

2. **Patch Releases**:
– Synology has released the following updates to address the vulnerabilities:
– **BeePhotos for BeeStation OS 1.1**: Upgrade to 1.1.0-10053 or above.
– **BeePhotos for BeeStation OS 1.0**: Upgrade to 1.0.2-10026 or above.
– **Synology Photos 1.7 for DSM 7.2**: Upgrade to 1.7.0-0795 or above.
– **Synology Photos 1.6 for DSM 7.2**: Upgrade to 1.6.2-0720 or above.
– It is crucial for customers to update their software as these patches are not automatically applied.

3. **Industry Context**:
– Another NAS manufacturer, QNAP, also patched critical vulnerabilities discovered at the same event, indicating a broader risk landscape for NAS devices.
– Historically, NAS devices are often targeted due to their exposure to the internet, making them susceptible to ransomware attacks.

4. **Vulnerable Systems Identified**:
– Security researchers found vulnerable Synology NAS devices in the networks of U.S. and European police departments and critical infrastructure contractors from several countries, pointing to a significant risk for sensitive data exposure.

5. **Ongoing Threats**:
– Ransomware threats remain prevalent, with different strains like eCh0raix, DeadBolt, and Checkmate targeting exposed NAS devices.
– The cybersecurity community is warned that vulnerabilities in devices often compromise systems storing sensitive data, necessitating vigilant patching and security measures from manufacturers and users alike.

6. **Future Monitoring**:
– Vendors generally have a 90-day window to release patch details following disclosures during events like Pwn2Own, during which they are encouraged to expedite security updates to protect users.

7. **Recommendations for Customers**:
– Customers should remain proactive in monitoring their devices for updates and be aware of the risks of exposing NAS devices to the internet. Regular updates and security practices are essential to mitigate potential attacks.

Full Article