By 
In a weird sense, it feels good to point out security issues on competitors, even though we recommend Synology more than QNAP. After we wrote QNAP fixed two 0-day critical security issues, this time is Synology’s turn to come with security patches. But the truth is million of devices are currently at risk.
We still reference Pwn20wn Ireland 2024, this event has been one of the most fruitful one in cyber sec space lately.
Security researcher Rick de Jager discovered a zero-day vulnerability in the Synology® DiskStation and BeeStation products, registered as CVE-2024-10443. The vulnerability exists in the SynologyPhotos component, which is enabled on most devices, thus increasing its significance.
As with any critical flaws, we recommend an immediate update of the patch.
Background
The vulnerability named RISK:STATION, represents an unauthenticated zero-click flaw allowing attackers to get root-level code execution on the popular Synology DiskStation and BeeStation NAS devices.
Synology received a disclosure of the issue immediately after a demonstration and released a patch addressing the vulnerability within 48 hours.
Synology DiskStation:
- SynologyPhotos version 1.7.x family: version 1.7.0-0795 resolves the issue.
- SynologyPhotos version 1.6.x family: version 1.6.2-0720 resolves the issue.
Synology BeeStation:
- BeePhotos version 1.1.x family: version 1.1.0-10053 resolves the issue
- BeePhotos version 1.0.x family: version 1.0.2-10026 resolves the issue
Future mitigations
As fun or easy as it is to connect to your Synology NAS with QuickConnect, this feature needs to be disabled.
To mitigate exposure, we should disable port forwarding. We will provide further help on how to set up a VPN so that you can connect to your NAS using a route, instead of exposing it directly to the internet.
An update is necessary because attackers can target even an unexposed NAS from the local network.