Synology: Critical vulnerabilities in NAS allow attackers to execute malicious code

Synology warns of a total of four security holes in certain series of NAS devices. Three of these are classified as critical and allow network attackers to execute arbitrary code on devices. The updated firmware that closes the vulnerabilities is ready.

external management

All three critical vulnerabilities can be found in the out-of-band (OOB) management of NAS devices. When decrypting packets, the bounds of a buffer could be overwritten (CVE-2022-27624, CVSS 10risk “critical“). Such a buffer overflow could also occur when processing messages (CVE-2022-27625, CVSS 10, critical).

When running with shared resources, insufficient synchronization could lead to a so-called race condition, which also allows attackers to execute arbitrary commands (CVE-2022-27626, CVSS 10, critical). The error in the processing of the OOB session, which allows access outside its memory limits and therefore the output of confidential information, seems less serious (CVE-2022-3576, CVSS 5.3, medium).

are affected according to Synology announcement DS3622xs+, FS3410 and HD6500 series devices. Diskstation Manager software version 7.1.1-42962-2 is available for these devices, which plugs the security holes. Administrators should download and install updates quickly.

To apply the updated firmware, administrators must remove the .pat file that contains the update from the Synology Download Page to suit your device and installed version and download it. The “DSM Manual Update” page should now be opened in the device UI and the .pat file selected there by clicking “Browse”. The update starts when you select “Apply”.

More recently, Synology had to seal security holes that dated back to the netatalk protocol.

(DMK)