Security researchers found a serious zero-click bug in Synology’s Photos app


If you have a Synology NAS drive, you may want to update your device as soon as possible. As first reported Wireda group of Dutch security researchers recently identified a zero-click vulnerability in Synology Photos. For the uninitiated, these types of bugs allow hackers to compromise a system without the user having to click anything first. To make matters worse, the software is pre-installed and enabled by default on Synology’s consumer line of Bee network storage devices. It’s also a popular download among users of the company’s DiskStation systems.

Midnight Bluethe cybersecurity firm that discovered the vulnerability estimates that millions of Synology users could be at risk. Although the company released a security patch to fix the bug, its NAS devices don’t download updates automatically. “It is not meaningless to find [the vulnerability] alone, independently,” said one of the researchers, Carlo Meijer Wired. “But it’s pretty easy to figure out and connect the dots when the patch is actually released, and you reverse-engineer the patch.”

According to Midnight Blue, zero clicks are found in the non-authentication section of the Synology Photos app. As a result, attackers can exploit the flaw directly over the Internet and without the need to bypass the gateway first. They can then gain root access and install malicious code on the compromised device. At this point, there’s not much that a malicious person can’t do, the firm notes, so it would be possible to convert an infected device. botnet. The possibility of a ransomware attack targeting Synology devices is not only theoretical. Earlier this year, DiskStation reported by users said they were the target of a ransomware attack.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *