Researchers Find Critical ‘Zero-Click’ Vulnerability in Synology Photos App

Synology logo featuring the word "Synology" in a stylized font. The "Syn" part is in a lighter gray, and "ology" is in black, both on a white background.

A security researcher from Midnight Blue, a Dutch security consultant, discovered a “zero-click” vulnerability in Synology NAS software that uses the pre-installed Photos app.

As reported by Wired, the vulnerability was discovered at the Pwn2Own hacking contest in Ireland by security researcher Rick de Jager and exists in Synology’s Photos NAS application and BeePhotos for BeeStation software.

“The vulnerability was initially discovered, within just a few hours, as a replacement for another Pwn2Own submission. The issue was disclosed to Synology immediately after demonstration, and within 48 hours a patch was made available which resolves the vulnerability,” Midnight Blue says.

“However, since the vulnerability has a high potential for criminal abuse, and millions of devices are affected, a media reach-out was made to inform system owners of the issue and to stress the point that immediate mitigative actions are required.”

A “zero-click” vulnerability describes an exploit that does not require authentication, which allows attackers to exploit it over the internet without needing to bypass a gateway, Wired explains. Once in, an attacker could gain root access and install and execute any code on the device.

Synology was made aware of the vulnerability last week, right after the Pwn2Own hacking contest result, and quickly pushed out a fix. However, since Synology NAS devices do not automatically update themselves, owners are encouraged to update their devices immediately. The fix is available for BeePhotos for BeeStation OS 1.1 (Upgrade to 1.1.0-10053 or above), BeePhotos for BeeStation OS 1.0 (Upgrade to 1.0.2-10026 or above), Synology Photos 1.7 for DSM 7.2 (Upgrade to 1.7.0-0795 or above) and Synology Photos 1.6 for DSM 7.2 (Upgrade to 1.6.2-0720 or above).

NAS are a common target for attackers because they usually contain large amounts of personal data. In July 2021, Western Digital’s My Book Live NAS products suffered a major attack due to two major vulnerabilities. The problem was so severe that it allowed attackers to remotely access the devices and wipe the hard drives. Western Digital was able to patch the problem by instructing users to update their operating systems, but not all affected devices were capable of being updated. Additionally, there were issues with the updated software that caused other problems for photographers.

Discussion