Synology zero click issue
In case you haven't heard...
4 Likes
Thanks, yea, caught this article a few days ago and removed the app.
Believe there was an update pushed out a while back that was intended to correct that issue.
2 Likes
I love the ignorance of the platform by Wired. Most users of the products won't know they need to update. 
By default, Synology package alerts are turned on and when you log into the NAS there is a red dot in the notification and e-mail notifications from Synology for high-risk components that need patching.
Here is the CVE: CVE-2024-10443
Here are the versions that you need to patch to:
- BeePhotos for BeeStation OS 1.1: Upgrade to 1.1.0-10053 or above
- BeePhotos for BeeStation OS 1.0: Upgrade to 1.0.2-10026 or above
- Synology Photos 1.7 for DSM 7.2: Upgrade to 1.7.0-0795 or above.
- Synology Photos 1.6 for DSM 7.2: Upgrade to 1.6.2-0720 or above.
2 Likes
There are a fair number of models that aren't getting offered the 7.2.x updates automatically. I have a DS218+ that was on 7.1 and not being offered the 7.2.2.x update due to "Staged Rollout." I manually updated all packages and DSM, then removed the Photos app for good measure.
Used Download Center | Synology Inc. to get the necessary files (two required in my case) to update my older NAS manually.
Seems like pretty recent stuff, from what I'm seeing in the Synology DSM download release dates... 
3 Likes
I know what you mean by staged rollout. I have 7.2 got offered the 7.2.2.x update ignored it for a couple of days and it was gone from the updates screen next time I looked. I did the manual upgrade from their web site after that. I did see the photo's patch days after the Pwn2Own competition notification of the vulnerability.
I love what Pwn2Own does. Lots of teams going after NAS (Synology, TrueNAS, QNAP) and Surveillance products and printers.
1 Like
Yup...so good that they help find issues like this, and love how the they've set up the whole thing.
It could be worse look what D-Link told its users:
Yeah that's kind of a bummer if you own one of those.
But in D-link's defense, the first NAS I ever bought was the DNS-320. Looks like it was released in 2011, so that would make the model 13 years old. I'm ok with an EOL on a product that old. As far as I can tell, D-Link doesn't even sell NAS devices anymore. They probably don't have any engineers around anymore who worked on that program. I worked for a consumer electronics company and it was a real issue when older hardware had problems and there was no one left around who was ever involved in the firmware or software.
That doesn’t seem like a fair comparison though.
Presumably this vulnerability affects synology device models that are still actively supported by the manufacturer and receiving updates.
The D-link vulnerability affects devices that already reached their end of life that was (I assume) previously announced by the manufacturer.
Are there any consumer NAS manufacturers that continue to offer security updates indefinitely, including for older hardware?
1 Like
I don’t know of any manufacturer of any device that offers patches after a device reaches an announced EOL date.
3 Likes
We actually found it was dangerous to try to patch really old HW, more likely to turn a customer's device into a doorstop by asking engineers to patch really old (and often insufficiently documented) code where they have zero familiarity.
WTF? From the 7.2 release notes:
For the models below, you can only download the upgrade patch from Synology Download Center because you won't receive notifications for this update on your DSM.
My NAS tells me "Your DSM version is up-to-date". There are lots and lots of security updates listed in the release notes. Why on earth wouldn't you at least be notified of this update? Seems like BS to me.
I manually installed 7.2.2-72806 and then the Update 1 patch. Nothing seemed to blow up. I had to uninstall Synology Videos but I never used it anyhow.
Guess I'll have to babysit my NAS from now on, can't trust Synology to notify me of updates...
2 Likes
Exactly what I did... It works fine on 7.2.x, no idea why they aren't pushing it automatically when I have the Auto install important security updates setting on my NAS.
Definitely looks like the older units like the DS218 will need direct attention.
Qnap seems to be better my old ts453be from 2017 still runs the latest s/w and gets upgrade notices and alerts. they also categorize some updates and make the mandatory. i supposed you can still ignore them. but it will then bug the crap out of you!
1 Like
In case anyone missed the latest list:
| Security Advisory | Affected Products |
|---|---|
| Synology-SA-24:20 DSM | DSM 7.2.2, DSM 7.2.1, DSM 7.1, DSMUC 3.1 |
| Synology-SA-24:21 Synology Drive Server | Synology Drive Server for DSM 7.1 ,Synology Drive Server for DSM 7.2.1, Synology Drive Server for DSM 7.2.2 |
| Synology-SA-24:19 Synology Photos | Synology Photos for DSM 7.1, Synology Photos 1.6 for DSM 7.2, Synology Photos 1.7 for DSM 7.2 |
| Synology-SA-24:22 Replication Service | Replication Service for DSM 7.1, Replication Service for DSM 7.2, DSMUC 3.1 |
| Synology-SA-24:23 BeeStation | BeeStation OS 1.0, BeeStation OS 1.1 |
| Synology-SA-24:18 BeePhotos | BeePhotos for BeeStation OS 1.0, BeePhotos for BeeStation OS 1.1 |
1 Like
Thanks for the reminder to check this stuff... this showed up on my DS220+ just now for package updates (I had just done a bunch of package updates about four days ago and clearly it wasn't updated then).
I'm going to check my DS218+ now...Back from checking, it's already updated, must have done it on its own, as I haven't touched it since I originally updated it and the other NAS about 4 days ago.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
