The most critical vulnerability recently is CVE-2018-1160. Netatalk in Synology is based on Netatak 3.1.8. The last one is Netatalk, which is known as afp protocol.
If there is no other attack surface, we might analyze it first. There are a lot of vulnerabilities in iSCSI recently. It mainly helps users manage and monitor iSCSI services and it is developed by Synology itself. But because more people are reviewing, it is relatively safer than other services. The most famous vulnerability recently is SambaCry. Therefore, there are many vulnerabilities found in Samba every year.
NETATALK SYNOLOGY CODE
Due to the large number of user, many researcher are doing code review on it. The SMB protocol in Synology is based on Samba. There are almost no similar problems nowadays. Many years ago, there were many command injection vulnerabilities, but after that Synology set strict specifications. This part is probably the one that most people analyze and it has obvious entry points. We selected a few services for preliminary analysis. In UDP, it has minissdpd/findhost/snmpd, etc., most of protocols help to find devices. We can see that in the default environment, many services are opened, such as smb/nginx/afpd. Attack surfaceįirst of all, we can use netstat to find which port is open. In order to better meet the environment that we usually encounter and the requirements in Pwn2Own, it will be in the state of all default settings. It very similar as DS418 play(target of Pwn2Own Tokyo 2020). Because of Synology is the most popular device in Taiwan, we decided start from it. We also wanted to try to join Pwn2Pwn event, so we decided to make NAS as the primary goal of the research at that time. The last reason is that NAS has become one of the main targets of Pwn2Own Mobile since 2020. We hope to reduce the recurrence of similar things, thereby increasing the priority of NAS research to improve NAS security. At the beginning of last year, NAS vulnerabilities led to outbreak of locker event. More and more people store important data on NAS. NAS has become more and more popular in recent years. Therefore, NAS gradually attracted our attention, and its Strategic Value has been much higher than before. They usually stored a lot of corporate confidential information on the NAS. While we were doing red team assessment, we found that NAS generally appeared in the corporate intranet, or sometimes even exposed to the external network. Motivation Why do we want to research NAS? Red Team
In this era of Internet of Things, there will be more people combining NAS and home assistants to make life more convenient. In modern times, NAS provides not only file sharing but also various services. It was mainly used to allow users to directly access data and share files on the Internet. In the early days, NAS was generally used to separate the server and data and also used for backup. This research is also presented at HITCON 2021. Following we will describe the details and how we exploit it. After that, we found the vulnerability is not only exists on Synology but also on most NAS vendors. We used this vulnerability to exploit Synology DS418play NAS in Pwn2Own Tokyo 2020. This vulnerability can let an unauthorized attacker gain code execution on remote Synology DiskStation NAS server. Two years ago, we found a critical vulnerability, CVE-2021-31439, on Synology NAS.
0 kommentar(er)
