Home Servers, Network Attached Storage, News

Synology Pulls Remote Access Services From Vulnerable NAS Devices in SynoLocker Response

synology-diskstation-ds415play

Synology last night released a further update to NAS users concerned about the recent SynoLocker ransomware attack. While the company has been criticised by some users on their own forums for slow communication regarding the issue, a number of updates have been issued this week with a consistent call to action: ensure you’re running the latest version of DiskStation Manager on your NAS device.

To reinforce that advice, Synology have now taken the step of blocking certain remote access services for devices that have not been updated. The two services, DDNS and QuickConnect provide easy configuration of NAS devices for remote access over the Internet. By blocking access to remote access services, vulnerable devices should be afforded protection from the SynoLocker exploit while users get around to updating the DiskStation Manager software.

As these remote access services are hosted by Synology (translating device IP addresses to friendly remote access URLs), it’s relatively straightforward for the company to block remote access to devices running outdated and vulnerable versions of the DiskStation Manager software. Undoubtedly, it’s an extreme measure, but one that Synology clearly believes is necessary to prevent further exploitation of its users.

To keep up to date with Synology’s security announcements, it’s well worth bookmarking Synology’s Security Advisory page.

With a recent security review reportedly uncovering a swathe of security vulnerabilities across multiple NAS vendors, we’d advise NAS users to ensure they’re always running the latest version of their NAS software, and evaluating whether they truly need remote access to their devices from across the Internet. The most important advice: ensure you have an offline backup of your important data.

According to Computerworld, the review by Jacob Holcomb, a security analyst at Baltimore-based Independent Security Evaluators, has identified 22 CVE (Common Vulnerabilities and Exposure) issues and more are expected as the study continues. Devices in the evaluation include Asustor’s AS-602T, TRENDnet’s TN-200 and TN-200T1, QNAP’s TS-870, Seagate’s BlackArmor 1BW5A3-570, Netgear’s ReadyNAS104, D-LINK’s DNS-345, Lenovo’s IX4-300D, Buffalo’s TeraStation 5600, Western Digital’s MyCloud EX4 and ZyXEL’s NSA325 v2.

“There wasn’t one device that I literally couldn’t take over”, said Holcomb. 

Here’s the full update from Synology:

Dear Synology users,

We have discovered security vulnerabilities on the software currently installed on your Synology product. These vulnerabilities might result in unauthorized parties compromising your Synology product.

We strongly suggest you install the newest version of DSM as soon as possible. To do so, please visit our Download Center and download DSM 5.0-4493, DSM 4.3-3827, DSM 4.2-3250, or DSM 4.0-2263 according to your current version. Then, log in to DSM and go to Control Panel > Update & Restore > DSM Update > Manual DSM Update (for DSM 4.3 and earlier, please go to Control Panel > DSM Update > Manual DSM Update) and manually install the patch file.

For more information about security issues related to Synology products, please check our Synology Product Security Advisory page.

Running the latest version of DSM is essential to guarantee your Synology product is protected from threats fixed in previous versions. In this respect, we are no longer providing DDNS and QuickConnect services for Synology products that are running vulnerable versions of DSM. To continue enjoying Synology’s DDNS and QuickConnect service, please follow the instructions above to update your Synology product.

We apologize for any inconvenience caused by this issue. Should you encounter any further problems, please feel free to contact our technical support team.

Sincerely, 
Synology Development Team

Previous ArticleNext Article
Terry Walsh is the founder of We Got Served. He started the community in February 2007 with a mission to help families, tech enthusiasts everywhere figure out the technology needed to run the modern home and small business. He's the author of a number of guides to Windows, Windows Server and OS X Server and runs his own successful publishing business. Born and raised in Liverpool, England, Terry has been awarded Microsoft's prestigious Most Valuable Professional Award each year since 2008 for his work on We Got Served.
  • Bob T

    The fact that this infection occurred in such a short time
    indicates that the perpetrators must have had a list of URLs where users were
    located, as well as the technical information and ability to inject the
    infection software. This could only have come from inside information, and I
    think that Synology has to be culpable and responsible. I expect Synology to do
    whatever is required to acquire the decryption codes.

    I have 28 years of corporate data on my Synology DS and much of it will be
    very difficult and expensive to recover because it is on very old media. If we
    are forced to recover this information, it will cost us hundreds of thousands of
    dollars and we will still probably not be able to get it all.

    I have filed a report with the FBI. I will be checking with my lawyer, and
    I may take this issue to the news media. I view this as an a crime of
    extorsion, for which Synology bears at least some responsibility. It may also
    be a terrorist cyber-attack.

    Sincerely,
    CEO, CompuCall, Inc.
    (And our website is down indefinitely while this is resolved.)

    • Level380

      Are you saying you got hacked? Well that was silly of you not to PATCH your systems, this security hole was fixed in a updated release 9 months ago! Plus it was silly to expose your NAS’s management interface to the web!

  • tim

    you kept 28 years of data on a NAS unit and didn’t backup to second location? with a fancy title like CEO you should know better then to be relying on consumer grade NAS for you company. Perhaps you need to down grade your title!

    • rhtoews

      Thanks for making this personal, Tim. You are a real idiot, so I’m not going to explain exactly why my company did what it did. In any case, the problem is not ours…we took proper precautions with McAfee. This was a SQL-injection attack to our machine which was not running any SQL-based databases except what the Synology system software used. We had no idea that there was a SQL backdoor into our server. The point is that Synology is at fault regardless of what YOU think my company should have done.

      • Level380

        Oh you took proper precautions. so you have a backup then…. So great! Not to worry.

        McAfee/RAID are not backups. RAID protects against HDD failure only, not corrupt data, or loss of data!

        Its also not Synology fault that you exposed your NAS to the internet…… Want to run the web server? Fine, then only expose ports 80/443. Not every darn port on the box!

  • rhtoews

    This is clearly an “inside job”. The technique used was SQL Injection. As a computer scientist myself, I know exactly how to implement SQL Injection and how to design software to prevent such attacks. I had no idea that my Synology DS had a SQL interface which was vulnerable. I know that there were warning emails in January 2014, and I’m pretty sure we complied with them, so I don’t quite understand Synology’s statements that the vulnerability was “fixed” after that.
    This attack was quite complex, so it was obviously planned well as way to make a lot of money by cyber extortion.
    I know that it is not too difficult to break any particular machine, but in this case the perpetuators broke into a whole lot of machines in just a few days. The passwords of any server can be broken with the right software and enough time, but we are not just talking about a few servers here. There are over 4.2 billion ip addresses on the Internet. Just how did the perpetuators know which ones to attack? You can’t simply do a search for all Synology servers on the Internet and come up with a list of ip addresses in a practical amount of time. The list of ip addresses MUST have come from Synology’s internal records which were based on product registrations and update downloads.
    I don’t know if this attack happened because a disgruntled employee released the list of ip addresses or what, but the evidence says that the information necessary to execute this attack came from Synology itself, and they are responsible for the consequences.
    Robert Toews
    CEO, CompuCall, Inc.

    • Level380

      “As a computer scientist myself”, and “I know that it is not too difficult to break any particular machine”

      So knowing all this, Yet you forgot to take backups, forgot to patch the system for a 9 month old issue, and forgot that exposing your device to the internet comes with risks…. OK Got it!

      I doubt it was a leak, it was mostly a google search that returned the web interfaces. Google can return lots of interesting things cough try seaching for inurl:webman/index.cgi but as a computer scientist who can do sql injections you already knew this right? :)

      • rhtoews

        Wrong. We have backups. We have an HP Server which we retired in 2012, and we have the more current data on other machines. The Synology DS was supposed to be a central point and has 15 TB containing about 6 TB of data. How long do you think it is going to take to copy all that data back again? As far as I know we upgraded the DS whenever we received an email, including the one in January 2014. We develop software here and I don’t pretend to know everything as you do. I’ll have to try that inurl thing.

        • Level380

          When you say “I have 28 years of corporate data on my Synology DS and much of it will be very difficult and expensive to recover because it is on very old media”

          This says you don’t have *current* working backups…..

          I’m not pretending anything here. Just saying its not synology fault for lack of patching from your side or lack of current valid backups.

      • rhtoews

        Okay…I can’t seem to make Google find all the Synology DSs on the Internet. Maybe you could explain again how to do that. Then, even if you find them all, how do you manage to decrypt all the passwords so fast? I expect risks on the Internet, but I don’t expect there to be unprotected SQL interfaces on network servers which are not documented in any way by the vendor. :)

        • Level380

          I’ll make it easy for you, here is the google search link

          http://bit.ly/1oFyfuc

          Google is showing 33,700 results….. Thats a lot of boxes with the web management interface on the internet.

          Maybe you need to lookup how a vulnerability works…. They don’t need to decrypt any passwords!

          • bob

            Sure, I can get all 33K+ URLs containing Webman too, but where is the SQL interface? I made damn sure there was no way to enter valid SQL statements on my website. So how did they get in, if not for an undocumented and unprotected interface in the DSM OS? Such vulnerabilities are so well known that I can’t believe that the Synology programmers didn’t spot it. When I was developing web software a few years ago, we all made very sure that no such SQL backdoors were present. We tediously examined every text entry field to be sure they would not allow any SQL keywords or statements. I tend to believe that it was intentionally left in by a rogue Synology programmer. If Synology as some sort of SQL maintenance interface, they should have protected it by passwords and syntax verification filters. The fact that this vulnerability occurred is Synology’s fault,and trying to pass the buck by blaming us users for not backing up or downloading software revision is a very poor excuse for their incompetence or possible criminality.

          • Level380

            Clearly you’re the best programmer in the world!!! Your software would never had any issues.

            Once again, passwords and protection don’t mean anything against vulnerabilities. Look it up worlds best programmer.

            I’ve had enough of feeding the trolls….. enjoy you storm in a tea cup over there please.

          • bob

            And by the way, my URL does not show up in your suggested search because it doesn’t contain anything which would indicate the kind of NAS I’m using. So how did it get found? I still say the only practical explanation is that the list of ip addresses to attach had to have come from inside Synology. They are the only entity that would have a list of registered machines or update requests. Do you work for Synology?

          • Level380

            No I don’t work for Synology. I just find it funny that someone like you with all your ‘skills’ and years of experience is crying a small river over being hacked and didn’t have a backup. Backups are lesson 101. All the information is out there on what dsm versions are impacted and what the issue was, and what you had to be doing to get hacked.

            I’m not silly enough to present my mgmt interface to the internet, but I was silly enough to feed the trolls by replying.

          • tim

            Level380 – I hear you. So many “system admins” and “computer scientists” are looking to point the finger at Synology on this one because they got caught with their pants down. 28 years of data lost with no backup?!? – that is just silly. How do you run your business that way?

          • buchacho

            Wow, the first one I clicked on has been affected.

      • rhtoews

        In reassessing the situation overnight, I find that we have plenty of backups of all the data we need for at least 7 years in the past. It’s just the really old historical data that we may have difficulty recovering. To use an analogy, if your house burns down, you will probably lose a lot of sentimental things…so why didn’t you make duplicates of all that stuff. It’s a risk versus cost calculation that everyone, including small business make.

        As for the updates, I have no emails from Synology telling us to update our DSM; however, I know we checked for updates at least every month manually. The problem was apparently that for DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier; DSM 4.0-2257 or earlier is installed, but the system says no updates are available at Control Panel > DSM Update.
        The first security advisory which mentions the Synolocker threat was not published by Synology until August 7, 2014, which was a little too late for us.
        I still believe that if you try to explain how this all happened, and believe in Occam’s Razor like I do, then the simplest explanation is that the information necessary to find all the Synology DSM’s out there must have come from an internal company source, and the existence of an SQL interface, which contained the vulnerability, should not have been made known to us customers. If we had known there was a hidden SQL interface, we might have made some different security decisions. Just saying.
        Believe it or not, after we get through this problem, we are planning to purchase a DS1513+ as a second NAS device for complete data duplication. We’re also going to rethink our entire Internet interface according to Best Practices. We’ve always concentrated our efforts on developing good software and maybe had too much blind trust in off-the-shelf Synology DSM security.

        • tim

          I didn’t get any e-mail to update either, but I updated to 5.0 and above – and I am just a guy that use his DS412+ as a media machine – its not like it was a job or anything to keep the data safe.

          I am glad you going to start backing up. Consider keeping the second DS at a different location. I back my important files to external HD and keep them in my safet deposit box at the bank.

          • rhtoews

            Interesting. I do the same thing. About twice a year, especially when I go on long international trips, I put all my really import software and data on disk drives and put it in a large safe deposit box. Lately, I’ve been using a handful of 64-GB thumb drives, so maybe I can get a smaller safe deposit box.

          • Cam Ford

            I use a 2TB USB3.0 Thumbdrive – actually only half the size of my thumb.- and regularly copy all backups there for disasters. Beats carrying around 40 x 64GB thumb/flash drives

Subscribe to We Got Served

Get the latest news and reviews from We Got Served in your inbox. Simply add your name and email address below. You can unsubscribe at any time.

x