Synology Inc.

[dguido]

Do you really believe that? truthfully? A court of law would of course say otherwise as it is unauthorised access to electronic systems.

You misread my statement. What I was saying was more like "you are not going to bait me into attacking your box." I never clicked on his link and I'm not going anywhere near his box.

Ask any IT Network Administrator, and they will tell you that it's your responsibility to know what risks are involved when allowing services over the internet and what you need to do to protect yourself.

That's why I looked into the security of the Synology box and decided it was unfit in my network.

I wouldn't use Download Redirector over the internet for such services. Plus, Download Rediectory doesn't work over the internet anyway. (I can't get to the page you posted, but what is it referring to? rTorrent client? and does it cover linux also?) I no longer use it, doesn't work. Plus, neither does crond and my system has a bad time problem with cron jobs!

The way the download redirector works is that you give it a torrent file and the Synology box starts rtorrent to download it. It may be possible to create a corrupt torrent file or for a peer in the bittorrent swarm to send you corrupt data which then takes control of your box. This is highly likely because Synology is using a version of rtorrent that is more than 3 years old and has had security problems fixed within that time. This is a client-side attack and it goes past any firewall (doesn't matter whether you've forwarded ports or not, this is irrespective of that).

Back to my point, if your behind a router your fine. If your allowing service to vindictive users, then I wouldn't provide such service.

What if I gain access to your desktop computer first ? A NAS is made for sharing, that's why there are all these services on it. People use these things in their offices or at their school where they're accessible to wayyy more people than just themselves. Your local network is a valid attack vector.

Its always the same dilemma: if they dont bring out new functions, one half of people are complaining, if they increase the possibilities of the system but let everything in a basic stage, the other half will cry out.

I'd like to rephrase that as "Synology is putting their entire customer base at risk of data loss by not keeping their software up to date, and that if they can't add new features and do it securely then they shouldn't be developing software at all. Rather, they should just integrate a pre-existing NAS distribution like FreeNAS and call it a day (it's BSD-licensed too!)."

[grimse]

hi,

i absolutly agree with dguido. Altough I'm deeply impressed by the functionality it's some kind of showstopper to me, to know that the daemons cry for an attack because of their sec-issues.


I would apprectiate to get a feedback from synology.

[alfred]

I agree with dguido, too. If you offer products for home and soho environments, you can't expect buyers to think and act like professional IT admins. And if you advertise your products in a way that suggests it's fine to use all the web services in any way possible, i.e. not limited to your private LAN, then security issues must be treated accordingly. Otherwise many people who don't have the necessary background knowledge trust their devices and put their data at risk.

DS target group (from the DS-107 description):

Web Station runs Apache web server that allows you to publish website with only few steps. With pre-installed PHP+MySQL, you are free to install popular blog or bulletin board programs on DS107. No advanced IT knowledge is required to build up your community.

Synology encourages DS use over the net (from the Photo Station description):

Voila! Visitors can now view your photos or videos over the Internet.

Just two examples.

Regards,
Alfred

[koez]

Hmm, I suspected that there would be sec problems, some of the software being so old, but this makes me...umh, wonder whether all (FTP and Photo) services should be shutdown, seems so - just to be safe.
Hopefull mine's not a spam server already

[NetBoot]

Netboot/HarryPotter: If I have overstepped any marks, please feel free to nuke this post and send me a message.

Beside that I cant find the word "nuke" in my dictionary : I cant see why we should.
On the contrary I agree with most of your ideas.

Its always the same dilemma: if they dont bring out new functions, one half of people are complaining, if they increase the possibilities of the system but let everything in a basic stage, the other half will cry out.

I would say security should be in the fore front and not additional features. But, I don't see that happening any time soon.

I do like new features, only if Synology fixes old issues.

Now, Synology has a BIGGER plate to work on bugs and fixes. They're only making more work for themselves.

*My thoughts: I really haven't decided on what I'm going to do with this DS-106. A few time s I was thinking on selling it. Then, I figure I'd wait and see attitude on what Synology is going to do on updates. I'll wait another 6 months or so. If things don't change, I'll either compile programs myself or just sell the box and build my own. I'll use Synology as a example of what NOT to do. Thanks Synology.

Net....

[ikeke]

Note: I and many others have been waiting for well over a year for Synology to get they're ass inline and start updating the OS and software to a more updated versions. But it appears that they're more interested in adding eye candy. Maybe to boost sales?
Net....

would say security should be in the fore front and not additional features. But, I don't see that happening any time soon.

I do like new features, only if Synology fixes old issues.
Now, Synology has a BIGGER plate to work on bugs and fixes. They're only making more work for themselves.

I exactly have the same feeling

Loving Synology products and being an honorary moderator doesn't prevent us to tell what we think as we're just user and not related to Synology company.
But i find their product great that's why i'm still there and fan of my syno boxes but the "bring new stuff even if previous functions are not fixed" strategy is definitly not my cup of tea.

But i keep hoping that these lacks will be fixed soon...

[mattsternc]

Well I thought I would throw in my .02 here. If I'm out of line, someone tell me that.

I like the new interface quite a bit, but after reading some of this thread it has made me a bit weary of utilizing all of the features on the box itself. With that in mind, I came up with some the following ideas to rectify the situation:

1. Synology implements a hotfix system, similar to Windows Update and/or the Update functionality in Ubuntu.
2. We, the users (and this would be the more technical amongst us), would do the necessary updates to the components AND make these updates available to all of the users in some form.
3. Synology acknowledges the issues and releases a plan detailing what they will be doing to address them. A time frame for each and/or all of the fixes would be provided as well. I don't think this would happen, but you never know.

Personally, I would be willing to help out with fixes/updates to the system, but my linux knowledge has slipped somewhat in the last couple of years. That will be changing soon enough with any luck, so maybe I would be able to provide some level of assistance with things.

So, this was just my take on what's going on with the ports, etc.

Matt

[dguido]

Personally, I would be willing to help out with fixes/updates to the system

That's supposed to be the benefit of going with Linux over your own proprietary solution - its like outsourcing parts of your development team to your customers. Unfortunately, Synology makes it really hard for people to participate. They don't have a public bug tracker. They don't offer source code for download. It's a pain to find the modified gcc necessary to compile code for the box... The best they have is this forum, and we're all clamoring for changes and fixes, and some are even offering to help, but we have no way to give back to them.

Even better, though, is that the open source people have thought about NAS devices before. Check out the OpenFiler and FreeNAS distributions. If you're going to base your product line around Linux, might as well use what's already out there. If I were starting a NAS company, I'd honestly just hire the FreeNAS developers and use that instead of starting from scratch. It implements 90% of the functionality that Synology does and it does it in a much cleaner way.

The security problems will get resolved, I'm going to see to that. Option #3 or bust.

[dibe]

Having read through this I must admit that this makes me very concerned. But I want to be sure I completely understand ...

My DS-106e is behind a router/firewall.
The ports for http, https, ftps and the admin-port are forwarded to the DS-106s.
Web-server, ftp server and photo station are activated.
Encryption is activated for admin, file-station and ftp.

Is my system at risk? If I understand dguido right, there are old and well-known exploits that work in the above configuration and would potentially enable someone to access all of my files without having to provide the relevant passwords.

Netboot says: If I am behind a router (which I am), I am perfectly fine. Or does he mean: If I am behind a router AND have NO ports forwarded, I am perfectly fine?

If dguido is right, then I will immediately stop using my device in this manner. And there is no excuse for Synology. These devices are clearly marketed to be used in the above configuration (in fact, functions like ddns also clearly postition the box as being usable when directly connected to the internet).

But the point is: what ports and/or service do or don't pose a security risk? Is it possible to be specific? I could live with just https and the admin/file-manager function if the risk is only with the http, ftps ports and web-server / ftp-server. And frankly, although I would not care about any of the other ports myself, I also totally understand dguido's concerns that it can't be taken for granted that these boxes are not operated within risky environments. If that is not the idea, then this needs to be stated clearly by Synology.

So, thanks for some specific comments regaring my configuration.

Thanks,
Dirk

[HarryPotter]

Hello, are you all going to be paranoid now?

driving cars is risky - did you sell yours?
using airplanes is risky - did you stopp travelling?
smoking is risky - did you already stopp?
living is risky - are you still there?

This discussion drives me really mad.

In any case, if you connect to the internet, there could be a risk, regardless of what device you are working with.

use a firewall, a secure password and forward only the ports you need and you are on the secure side, whatever secure side means.

Big companies spend millions of dollars (ok, dollars do not have a value anymore, lets say euro or swiss francs ) to make their system secure and nevertheless they are still attacked and sometimes this hackers succeed.

decide yourself.

[pz1]

driving cars is risky - did you sell yours?
using airplanes is risky - did you stopp travelling?

But we do improve safety of these vehicles, and expect manufacturers to apply state of the art technology!

The essence of what Dguido and others asks from Synology is to:
1) Better inform naive users about potential hazards.
2) To incorporate state of the art software.

I think that is a legitimate request, which has nothing to do with paranoia. It is in the interest of both Synology and its users.

[grimse]

argh, sorry harrypotter but the way you argument is the reason why botfarms with +50000 infected machines exist, the reason why phishing is present and why still millions of systems get infected with malware.

To be grep your argument- "driving car is risky"- for sure it's risky, but instead of not driving a car i bought a _secure_ car to minimize the risk.
The same for old software-release. For sure you can use an old rtorrent or apache but it's like driving a car without a seatbelt. This works, too, but you would strongly miss it in the case of an accident.

Dibe, regarding your question: if you publish the ports through your router you're _not_ safe. Forwarding a port via nat-translation equals placing this port(system) directly into the internet. If you don't foward port you are sure- but I don't see the sense of a photostation without publishing it to the web...
For sure, as netboot mentioned there are ways to "harden" the connection. Although i don't completly understand what he means i guess it's the "spi" firewall on the router. Some routers offer basic intrusion detection functionality (ids). Depending on the router it can recognize e.g. network scans or bruteforcing of a ssh account, but this definitly can't recognize attacks based on the old apache release, because we are here talking about "normal" http/s traffic.

It's also simply not right that using a firewall or virusscanner would help you. We are talking about vulnerabilities on the DS- not on the client you need to access the DS!. As long as you don't place the scanners in front of the ds (e.g. as a def-gw. for the ds) it don't solves the problems we are talking here about.

From my point of view there is absolutly the need to implement something like a patch scheduling on synologys side (like already present at nearly every linux distributor). And I don't see it's the communities task to handle this. Although it's also ok for me to do beta-testing I do think it the companys task to offer a secure product.

[HarryPotter]

I agree that synology should upgrade the included moduls like apache, php, mysql and so on to its newest version, no doubt about it.

BUT:

I work as a copmutersupporter and I see hundreds of devices and I didnt see a single infected computer from people taking care about the installations and who use their brain while being connected to the internet.
the others who do not use secure passwords, no firewalls, no antivirus program, who click on every dammed link, accept installations of everything and nothing and open mails without thinking one second this computers are infected and part of botfarms, nothing else.

and this is not the case on the synology systems. if you want to prove me the contrary, accept Netboots offer to hack his system and dont get away with some suspect reasons.

[grimse]

ok, i work as security engineer in a 10000+ company (beside others) dealing with a checkpoint ngx fw and qualys penetration testing for our dmz systems. therefore i know at least a little bit of what I'm saying. Maybe I be also paranoid, because this belongs to my job, but the problems dguido mentioned are present and there is no need to prove the problems- this is already done (simply read the sec advices linked by dguido to the php and rtorrent bugtracker).

I don't understand why some of you show these problems with accepting that this is a sec-problem. I think it should also be in your interest to get this things fixed.
I guess it would be helpful to get synology directly involved because neigher you as moderators nor we will solve the problem with dicussing it within this forum.

[ikeke]

I guess it would be helpful to get synology directly involved because neigher you as moderators nor we will solve the problem with dicussing it within this forum.

Maybe you're right, but as far as i'm concerned, i find this subject really interesting as security issue are very important for me and i'm glad this topic exists. Having the possibility to express different points of view in a forum is very important i think as it helps to figure out some stuff and to improve products.

It's always interesting to have comments and ideas from security professionals so thanks for this topic.

p.s: being a moderator doesn't mean we're narrow minded