Synology fixes more critical flaws reporeted in Pwn2Own competition
Take action: If you are running Synology software and hardware, read up on the advisories. A lot of critical flaws, so you need to start planing a quick patch cycle - the exploits are public so attacks will start quite fast.
Learn More
Synology has published critical security notifications following vulnerabilities discovered in its NAS systems during the Pwn2Own 2024 competition in Ireland.
The vulnerabilities impact Synology DSM, Synology Drive Server, Synology Replication Service, and BeeStation, with Synology categorizing most of these as critical security risks. CVE entries and CVSS scores for these issues are not yet available.
- Remote code execution from the network (ZDI-CAN-25403).
- Man-in-the-middle file write access (ZDI-CAN-25617).
- Unauthorized file read access (ZDI-CAN-25613).
Affected Versions: BeeStation OS versions 1.0 and 1.1. Upgrade to BeeStation OS version 1.1-65374 or newer.
- Arbitrary command execution by remote attackers (ZDI-CAN-25607).
Affected Versions: DSM 7.1 and DSM 7.2. Update DSM 7.2 Replication Service to version 1.3.0-0423 or newer, and DSM 7.1 Replication Service to version 1.2.2-0353 or newer.
- Remote code execution (ZDI-CAN-25403).
- Admin session capture through man-in-the-middle attack (ZDI-CAN-25487).
- Unauthorized file read access (ZDI-CAN-25613).
- Man-in-the-middle file write access (ZDI-CAN-25617).
Affected Versions: DSM 7.2, DSM 7.1, and DSMUC 3.1. Update DSM 7.2 to version 7.2.2-72806-1 or newer; updates for DSM 7.1 and DSMUC 3.1 are expected within 30 days.
- SQL injection and session hijacking from the network.
Affected Versions: DSM 7.1. The issue is resolved in DSM 7.2 version 3.5.1-26102; updates for DSM 7.1 are pending within the next 30 days.
Update - as of 19th of March 2025, Synology has updated the advisory to list the CVE values of each flaw
- CVE-2024-10441 (CVSS score 9.8) - ZDI-CAN-25403 - An improper encoding or escaping of output vulnerability in the system plugin daemon allows remote attackers to execute arbitrary code via unspecified vectors
- CVE-2024-50629 (CVSS score 5.3) - ZDI-CAN-25613 - An improper encoding or escaping of output vulnerability in the webapi component allows remote attackers to read limited files
- CVE-2024-10445 (CVSS score 4.3) - ZDI-CAN-25617 - An improper certificate validation vulnerability in the update functionality allows adjacent man-in-the-middle attackers to write limited files
The vulnerabilities affect multiple Synology products including:
- Synology BeeStation Manager (BSM) versions before 1.1-65374
- Synology DiskStation Manager (DSM) versions before 6.2.4-25556-8, 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6, and 7.2.2-72806-1
- Synology Unified Controller (DSMUC) versions before 3.1.4-23079
Synology has released patches for all affected products. Users should upgrade to the following versions or later:
- DSM 7.2.2-72806-1 or above
- DSM 7.2.1-69057-6 or above
- DSM 7.2-64570-4 or above
- DSM 7.1.1-42962-7 or above
- DSM 6.2.4-25556-8 or above
- DSMUC 3.1.4-23079 or above
Synology strongly advises all users of affected products to apply available updates immediately to mitigate the risks associated with these vulnerabilities. No alternative mitigations are provided, so prompt installation of updates is crucial.
