www.belgium.be Logo of the federal government

WARNING: CRITICAL REMOTE CODE EXECUTION VULNERABILITY IN SYNOLOGY PHOTOS AND BEEPHOTOS, PATCH IMMEDIATELY!

Référence: 
Advisory #2024-257
Version: 
1.0
Logiciels concernés : 
BeePhotos for BeeStation OS 1.1: Before to 1.1.0-10053
BeePhotos for BeeStation OS 1.0: Before to 1.0.2-10026
Synology Photos 1.7 for DSM 7.2: Before to 1.7.0-0795
Synology Photos 1.6 for DSM 7.2: before to 1.6.2-0720
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 

CVE-2024-10443: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Sources

Synology: https://www.synology.com/en-us/security/advisory/Synology_SA_24_19

Synology: https://www.synology.com/en-us/security/advisory/Synology_SA_24_18

Risques

An unauthenticated remote code execution vulnerability was found in the Synology Photos and BeePhotos apps. This vulnerability could allow an attacker to compromise your NAS device by running malicious code as root. This CVE was dubbed RISK:STATION by the researchers.

A compromised NAS device can be used to steal your data, pivot deeper into your network, and deploy ransomware. Historically we have seen that ransomware actors target these kinds of devices because they are the perfect target to exfiltrate and encrypt data.

Description

The details of the vulnerability are still under embargo. This advisory will be updated when we have more detailed information.

Actions recommandées

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Update to the following version:

  • BeePhotos for BeeStation OS 1.1: Upgrade to 1.1.0-10053 or above
  • BeePhotos for BeeStation OS 1.0: Upgrade to 1.0.2-10026 or above
  • Synology Photos 1.7 for DSM 7.2: Upgrade to 1.7.0-0795 or above
  • Synology Photos 1.6 for DSM 7.2: Upgrade to 1.6.2-0720 or above

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Références

Bleeping Computer: https://www.bleepingcomputer.com/news/security/synology-fixed-two-critical-zero-days-exploited-at-pwn2own-within-days/

MidnightBlue: https://www.midnightblue.nl/research/riskstation