Just a heads up for any of us here on HeXus that might be running a Synology NAS unit, there is a nasty bit of ransomware out there that is going after us.
I've taken the option to shut all remote access to my NAS unit off bar access from my own pc and the WDTVLive downstairs till we get more information on what is going off.
https://www.facebook.com/synology/po...857897?fref=nf
More info
http://www.geekzone.co.nz/forums.asp...0814&page_no=1
Last edited by Apex; 05-08-2014 at 01:18 PM.
I've got four of these in use. Three are behind a hardware firewall (Smoothwall) and one is locked fairly tightly.
Hopefully I'm safe for now
As I said in the other thread: why would anyone expose a NAS to the internet?
Synology bundle a whole heap of packages with their NASes some of which require outside access - See here > https://www.synology.com/en-uk/dsm/app_packages
My backups are piped from an onsite NAS to an offsite NAS but I use a VPN. Others, like the chap who went on to twitter to complain, have SMB and AFP wide open without (at least in his case) knowing. Quite how they've managed to do that is beyond me though.
The quick connection app more then likely if you let it will open a hell of a lot of ports out to the router.....
Thanks man.
I've turned mine off until I get home and close all open ports that it requires. Hopefully a patch will be released in due course.
Originally Posted by Apex
Just a quick update:
Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.
For Synology NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, we recommend they shut down their system and contact our technical support team here: https://myds.synology.com/support/support_form.php.
When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
A process called “synosync” is running in Resource Monitor.
DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.
For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:
For DSM 4.3, please install DSM 4.3-3827 or later
For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
For DSM 4.0, please install DSM 4.0-2259 or later
DSM can be updated by going to Control Panel > DSM Update. Users can also manually download and install the latest version from our Download Center here: http://www.synology.com/support/download.
If users notice any strange behaviour or suspect their Synology NAS server has been affected by the above issue, we encourage them to contact us at security@synology.com, where a dedicated team will look into their case.
We sincerely apologise for any problems or inconvenience this issue has caused our users.
CVE here
Going from the Syno forum post, the CVE behind this exploit appears to be this one:
http://www.rapid7.com/db/modules/exp...ad_exec_noauth
No authentication required, dumps a file on the local system and then executes it as root apparently. Do the synology web services run as root?! Seriously... that's like eggs 101, Woodhouse.
That's a relief, I installed 5.0 when installing it.
Am I correct in saying that this exploit only immediately affects those who have their NAS set as the DMZ on the router/do not use NAT?
Not sure, they arn't really forthcoming on how the units are getting owned.
In related news, they've got the database of keys for the original Cryptolocker so you now unlock if you get hit:
http://www.bbc.co.uk/news/technology-28661463
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote