Synology Vulnerabilities: A Critical Security Flaw

Securityium’s journey of uncovering vulnerabilities in software and hardware can lead to significant breakthroughs. Securityium began with a series of investigations into Synology’s systems, leading to the discovery of a critical security flaw in one of their subdomains. This article details the process, from initial discovery to reporting the issue and the subsequent reward.

Initial Discovery: A Serendipitous Find

While initially focused on a hardware device vulnerability, I inadvertently stumbled upon a significant web application issue during a routine DNS scan. This serendipitous discovery unveiled a subdomain that was potentially vulnerable. The subdomain in question was: www.synology.com.

Upon accessing the web application associated with this subdomain, I was met with a HTTP 403 Forbidden error. This error suggested that the web application was blocking access to potentially sensitive information. The existence of this error led me to believe that the page contained crucial data, and the company had implemented additional security measures to protect it.

Identifying the Affected Component

The vulnerability was located in the /upload/ directory of the web application. This directory, while intended for legitimate file uploads, lacked proper security controls. Specifically, the file upload feature was unauthenticated and permitted any file type to be uploaded, which is a significant security oversight.

The core of the issue was that the application did not impose restrictions on the type or nature of files that could be uploaded. This flaw allowed for the upload of a malicious PHP shell, which could be leveraged for unauthorized access and control over the server.

Severity Level: Assessing the Risk

The severity of this vulnerability can be classified as critical. Unauthenticated file uploads are inherently dangerous because they can lead to remote code execution (RCE) if an attacker can upload and execute a malicious script. In this case, the uploaded PHP shell provided direct access to the server, allowing for further exploitation.

The ability to execute arbitrary commands on the server, such as ls and ifconfig, demonstrated the potential for significant damage. The ls command revealed the presence of sensitive backup files, and the ifconfig command showed an active connection to an internal machine, which could be used for deeper network penetration.

Technical Breakdown: Understanding the Vulnerability

• Insufficient Validation: The email module within the affected Synology routers failed to properly validate user inputs on the server side. Parameters such as email_addr and auth_user were not sanitized, allowing attackers to inject malicious commands.

• Storage of Malicious Payloads: The injected commands were stored within the system configuration of the router, effectively embedding the malicious payload within the device’s settings.

• Triggering Execution: The vulnerability was triggered when the scheduler or the “Send Log” button was activated. This activation called the sendlog() function.

• Function Dependency: The sendlog() function relied on the print_smtpc_arg() function to retrieve configuration settings. The print_smtpc_arg() function utilized $nvram variables to fetch these settings.

• Command Execution: The malicious payload, stored in the email_addr and auth_user variables, was passed to the eval function. The eval function then executed the arbitrary commands on the system, leading to unauthorized command execution on the router.

Mitigation: Steps Taken to Secure the Vulnerability

To address the discovered vulnerability, several mitigation steps were recommended and implemented:

• Authentication and Authorization Controls: Ensuring that file upload endpoints are protected by proper authentication and authorization checks can prevent unauthorized access.

• File Type Restrictions: Implementing strict file type validation can prevent the upload of potentially harmful files.

• Security Best Practices: Regular security audits and adherence to best practices in web application development can mitigate such vulnerabilities.

Additional Discovery: SSRF Vulnerability in DSM 6

Alongside the unauthenticated file upload vulnerability, I also discovered a Server-Side Request Forgery (SSRF) vulnerability in Synology’s DiskStation Manager (DSM) 6. DSM is the operating system that powers Synology’s NAS devices, providing a web-based interface for managing storage, applications, and services.

What is SSRF?

Server-Side Request Forgery (SSRF) is a type of vulnerability where an attacker can make a server-side application send HTTP requests to an unintended location. This can lead to various attacks, including accessing internal systems, scanning internal networks, or exploiting other vulnerabilities within the internal network.

• Implications of SSRF in DSM 6: The SSRF vulnerability in DSM 6 could allow an attacker to leverage the DSM interface to make unauthorized requests, potentially exposing internal services and data. This type of vulnerability is particularly dangerous as it can serve as a gateway for deeper penetration into the internal network.

• Synology’s Response: A Commitment to Security: Synology demonstrated a strong commitment to addressing the discovered vulnerabilities. Their prompt responses and swift mitigation actions highlight their dedication to maintaining the security of their systems and protecting their users.

• Firmware Updates: Synology released firmware updates to address the discovered vulnerabilities. Users were strongly encouraged to update their devices to the latest firmware versions to protect against potential exploits.

• Security Advisory: Synology published a detailed security advisory on their website, providing comprehensive information and guidance on addressing the vulnerabilities.

Conclusion: The Importance of Vigilance in Cybersecurity

This bug bounty experience with Synology highlights the critical importance of robust security practices in both web applications and network-attached storage systems. The discovery of an unauthenticated file upload vulnerability and an SSRF vulnerability in DSM 6 exposed significant risks, including unauthorized server access and internal network exploitation. Synology’s swift response and the reward bounty underscore their commitment to security. This journey reinforces the need for continuous vigilance and proactive measures in cybersecurity, encouraging researchers to identify and report vulnerabilities to help organizations bolster their defenses. The collaborative effort in securing digital assets is both rewarding and vital for overall digital safety.

As security researchers, it is our responsibility to continuously seek out and report vulnerabilities to help organizations improve their defenses. The process not only aids in enhancing overall security but also fosters a collaborative effort in protecting digital assets.

For more information on securing your network and staying ahead of potential threats, contact Securityium today. Our team of cybersecurity experts is here to help you navigate the complexities of modern network security, providing tailored solutions to meet your specific needs. Visit our website at Securityium for more details on our services and how we can assist you in enhancing your cybersecurity posture.

The Importance of Prompt Patch Management

The discovery of these vulnerabilities highlights the critical importance of prompt patch management. Vulnerabilities in networking equipment, such as routers and NAS devices, can have far-reaching consequences if left unaddressed. Attackers are constantly on the lookout for weaknesses to exploit, and outdated firmware often provides an easy entry point.

• Best Practices for Mitigating Vulnerabilities: To protect against vulnerabilities, users should adopt the following best practices:

• Update Firmware Regularly: Ensure that your devices’ firmware is always up to date with the latest versions released by the manufacturer.

• Implement Strong Authentication: Use strong passwords and enable two-factor authentication to secure your devices and networks.

• Conduct Regular Security Audits: Regularly review your devices’ configurations and conduct security audits to identify and mitigate potential vulnerabilities.

• Stay Informed: Keep abreast of the latest security advisories and updates from manufacturers to ensure timely mitigation of discovered vulnerabilities.

Final Thoughts: A Collaborative Effort for Enhanced Security

The successful discovery and mitigation of vulnerabilities in Synology’s systems underscore the importance of a collaborative approach to cybersecurity. Researchers, companies, and users must work together to identify, report, and address security flaws, ensuring a safer digital environment for all.

At Securityium, we remain committed to identifying and addressing cybersecurity threats, providing our clients with the expertise and tools needed to protect their networks. Stay vigilant, stay updated, and prioritize security to safeguard your digital assets against emerging threats.