Synology last night released a further update to NAS users concerned about the recent SynoLocker ransomware attack. While the company has been criticised by some users on their own forums for slow communication regarding the issue, a number of updates have been issued this week with a consistent call to action: ensure you’re running the latest version of DiskStation Manager on your NAS device.
To reinforce that advice, Synology have now taken the step of blocking certain remote access services for devices that have not been updated. The two services, DDNS and QuickConnect provide easy configuration of NAS devices for remote access over the Internet. By blocking access to remote access services, vulnerable devices should be afforded protection from the SynoLocker exploit while users get around to updating the DiskStation Manager software.
As these remote access services are hosted by Synology (translating device IP addresses to friendly remote access URLs), it’s relatively straightforward for the company to block remote access to devices running outdated and vulnerable versions of the DiskStation Manager software. Undoubtedly, it’s an extreme measure, but one that Synology clearly believes is necessary to prevent further exploitation of its users.
To keep up to date with Synology’s security announcements, it’s well worth bookmarking Synology’s Security Advisory page.
With a recent security review reportedly uncovering a swathe of security vulnerabilities across multiple NAS vendors, we’d advise NAS users to ensure they’re always running the latest version of their NAS software, and evaluating whether they truly need remote access to their devices from across the Internet. The most important advice: ensure you have an offline backup of your important data.
According to Computerworld, the review by Jacob Holcomb, a security analyst at Baltimore-based Independent Security Evaluators, has identified 22 CVE (Common Vulnerabilities and Exposure) issues and more are expected as the study continues. Devices in the evaluation include Asustor’s AS-602T, TRENDnet’s TN-200 and TN-200T1, QNAP’s TS-870, Seagate’s BlackArmor 1BW5A3-570, Netgear’s ReadyNAS104, D-LINK’s DNS-345, Lenovo’s IX4-300D, Buffalo’s TeraStation 5600, Western Digital’s MyCloud EX4 and ZyXEL’s NSA325 v2.
“There wasn’t one device that I literally couldn’t take over”, said Holcomb.
Here’s the full update from Synology:
Dear Synology users,
We have discovered security vulnerabilities on the software currently installed on your Synology product. These vulnerabilities might result in unauthorized parties compromising your Synology product.
We strongly suggest you install the newest version of DSM as soon as possible. To do so, please visit our Download Center and download DSM 5.0-4493, DSM 4.3-3827, DSM 4.2-3250, or DSM 4.0-2263 according to your current version. Then, log in to DSM and go to Control Panel > Update & Restore > DSM Update > Manual DSM Update (for DSM 4.3 and earlier, please go to Control Panel > DSM Update > Manual DSM Update) and manually install the patch file.
For more information about security issues related to Synology products, please check our Synology Product Security Advisory page.
Running the latest version of DSM is essential to guarantee your Synology product is protected from threats fixed in previous versions. In this respect, we are no longer providing DDNS and QuickConnect services for Synology products that are running vulnerable versions of DSM. To continue enjoying Synology’s DDNS and QuickConnect service, please follow the instructions above to update your Synology product.
We apologize for any inconvenience caused by this issue. Should you encounter any further problems, please feel free to contact our technical support team.
Synology Development Team