Synology Inc.

[dguido]

I ran an nmap scan against my CS407 with the new DSM 2.0-0590 firmware and came up with these results:

Code: Select all

# Nmap 4.53 scan initiated Sun Mar 16 15:16:12 2008 as: nmap -sS -sV -p 1-65535 -oN synology.log -T5 -PN 192.168.1.75
Interesting ports on 192.168.1.75:
Not shown: 65524 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 4.2 (protocol 1.99)
23/tcp   open  telnet      NASLite-SMB/Sveasoft Alchemy firmware telnetd
80/tcp   open  http        Apache httpd 2.2.3 ((Unix) mod_ssl/2.2.3 OpenSSL/0.9.7e PHP/5.2.0)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
443/tcp  open  http        Apache SSL-only mode httpd
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
515/tcp  open  printer
3493/tcp open  tcpwrapped
5000/tcp open  http        Apache httpd 2.2.3 ((Unix) mod_ssl/2.2.3 OpenSSL/0.9.7e)
5001/tcp open  http        Apache SSL-only mode httpd
5432/tcp open  postgresql  PostgreSQL DB
MAC Address: 00:11:32:01:63:86 (Synology Incorporated)
Service Info: Host: CubeStation

Host script results:
|_ Discover OS Version over NetBIOS and SMB: Unix

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
# Nmap done at Sun Mar 16 15:16:38 2008 -- 1 IP address (1 host up) scanned in 26.329 seconds

I've only got SMB, telnet, SSH, and the standard web interface enabled on the box. Why is PostgreSQL listening for external connections? And CUPS even when I'm not running it? Did anyone out there realize their box is vulnerable to all the 'null session' attacks from the late 90s? That's how Nmap figured out I was part of the WORKGROUP domain. Do I even need to mention the multitude of exploits available for PHP 5.2.0? Apparently yes: http://osvdb.org/vendor/1/The+PHP+Group . SSH v1 is enabled ... and what the heck is on port 3493?

I also don't see the security issues described in this post fixed in the new firmware: http://www.synology.com/enu/forum/viewt ... 50&p=28070

Synology, what is going on here?

[HarryPotter]

Please do not cross post, thx.
your other post has been deleted

[dguido]

I consider these issues very serious and no one responded to me within 12 hours, therefore I repeated my request in other forums hoping that someone would see them. In particular, Apache and PHP being out of date means that everyone using the photo/file-station features of all Synology products are vulnerable to remote exploits and potential data loss. Does Synology have a security contact? I didn't see one listed on their Contact Us page.

[NetBoot]

I don't see anything that's a vulnerability.

All those services are needed.

As long as your DS is behind a firewall and you DON'T have your DS in a DMZ your fine.

Net....

[dguido]

I'm sorry NetBoot but you're absolutely wrong. I see about 20 vulnerabilities (I even directly linked to some) and if you want to pay me I'll write up the exploits to demonstrate them to you.

I also plainly stated that I am not running CUPS, not running anything that requires PostgreSQL, and that several critical services are severely misconfigured. These services and these configurations are not necessary as you stated and I'd like them to turn off when I turn them off and come in a properly configured state.

Additionally, many Synology boxes are exposed to the internet through services like the Photo and File Station. What good are those services unless they are web-accessible? Also, don't you think that some people use these boxes in their offices or that they share access to them with others? Just because you are the only one using yours and it is not accessible over the internet at all, doesn't mean that others don't.

I'm sorry, but the firmware running on these boxes needs to be fixed. I honestly want to get rid of mine and recommend against anyone else buying one until they are. If you'd like to see what a proper Nmap of a NAS distribution looks like, I can reply later with the results of my analysis of FreeNAS.

[NetBoot]

PostgreSQL is needed for Download Redirector.

As stated before, if your DS is behind a router and not in a DMZ your find. If your not forwarding any of those ports that are open to the internet your fine.

Case Closed.

Net....

[dguido]

And btw, *ALL* services on the box are running as either 'root' or 'admin'. Both of these users have access to the data in the RAID array. This means that any user who successfully compromises *any* service on the box can access/modify/delete all the files I'm storing on the box.

[dguido]

1. I'm not running the download redirector.
2. I think I can compromise the box through the download redirector.
3. What if I'm sharing the Synology box on a network with more people than just myself? At school? At the office? With roommates? In a business?
4. What about the photo and file station services, which are intended to be accessible over the web?
5. What about the FTP service or the SSH service? I think most people would forward those. As I said, you can't say "oh, our product is safe, but only if you keep it in a safe and don't plug it into the network" as you are.

NetBoot, I see that you're listed as an honorary moderator. Do you have any official status at Synology? I'd like to speak with someone who works for the company.

EDIT: the latest version of rtorrent (what is used to provide the download redirector service) is 0.7.9. The version of rtorrent being used on the DSM 2.0-0590 firmware is 0.3.6 (that's from 2005 fyi). See the following if you don't believe that it has remote vulnerabilities in it: http://rakshasa.no/pipermail/libtorrent ... 00455.html

[NetBoot]

If this is a concern for you.

Use strong user passwords, 8 characters minimum. Use SSH keys as appropriate, use SSL certificates as appropriate and htaccess and host allow deny restrictions as appropriate.

Use harden rules for your router.

Those are just a few off the top of my head. There are other ways to harden servers.
ADS is another.

Net....

Oh, and a system that's not turn on is the securest one.

[dguido]

NetBoot, maybe you don't get what I'm saying. These vulnerabilities allow ME to access YOUR Synology NAS without using any passwords and then to delete all of your files. If you try and turn off the services that I can hack in from, the Synology NAS will leave them running anyway. Not only that, but I have my pick of one of about more than 20 vulnerabilities to choose from, all of which provide full system compromise.

"harden rules" for my router, strong passwords, SSH keys, SSL certificates, or Apache reconfigurations will not do ANYTHING for the attacks I am describing.

[NetBoot]

Ok

here yeah go

http://www.gateway-1.homedns.org

hack away

Net....

[dguido]

I see about 20 vulnerabilities (I even directly linked to some) and if you want to pay me I'll write up the exploits to demonstrate them to you.

You know what, this is stupid and a waste of my time. I'm just making a post on full-disclosure. I'm glad you're so blindly confident in your boxes abilities to withstand attacks against all reason. I'm not doing anything illegal to your box, so you can turn off your "harden rules" now. jeez.

[NetBoot]

k,

Ask any IT Network Administrator, and they will tell you that it's your responsibility to know what risks are involved when allowing services over the internet and what you need to do to protect yourself.

Now, I'm not saying that the OS on the DS is perfect to say the least. I'm just stating the fact that as long as you know what's involved in providing such services.

As far as shares go, I wouldn't do Samba sharing over the internet. There's FTP and File Manager for that. Also, I would setup VPN if I need such things.

There's also the Web Management that's open to use to use torrent feature. I wouldn't use Download Redirector over the internet for such services. Plus, Download Rediectory doesn't work over the internet anyway. (I can't get to the page you posted, but what is it referring to? rTorrent client? and does it cover linux also?) I no longer use it, doesn't work. Plus, neither does crond and my system has a bad time problem with cron jobs!

Back to my point, if your behind a router your fine. If your allowing service to vindictive users, then I wouldn't provide such service. Also, I assumed you where referring being vulnerable over the internet as is.

Note: I and many others have been waiting for well over a year for Synology to get they're ass inline and start updating the OS and software to a more updated versions. But it appears that they're more interested in adding eye candy. Maybe to boost sales?

No, I'm in no way shape or forum, work for or affiliated with Synology.

Net....

[Insane]

Note: I and many others have been waiting for well over a year for Synology to get they're ass inline and start updating the OS and software to a more updated versions. But it appears that they're more interested in adding eye candy. Maybe to boost sales?

This is the main crux of the problem which has gotten dguido up in arms, the OS and software is obsolete in some regards and because its old there are known exploits knocking about for them all. I suspect the main reason for this is due to feature creep... everyone crying out for mail servers and additional functions means the development team for updates gets drastically smaller as resources gets shifted about to accomodate the "crying masses"

In my eyes, the Diskstation is not being sold as a wonderful Internet based server... but as a network attached storage device with additional functions.
Because it has not been designed from the base up as an all-seeing all-dancing Webserver and FTP Server its not hardened for internet usage in any way, shape or form. Also because its using what can be classed as an "Embedded Linux OS" (uclinux I Think) for a local network it runs the services it requires as root or admin so as not to impact on the performance of the device further.

Again, iteration is key here... the Synology DiskStation range is designed primarily as a Network Attached Storage device. (the key is in its name after all, DiskStation)
NAS Devices are designed for sitting on the local internal network for all local users to attach to and use.

The best advice? If you require a webserver, FTP and Email services with a high level of security... invest your time in either building a dedicated server you can harden yourself, or purchase hosting from one of the many hosting providers out on the internet...
Hell does anyone remember the original Syno Forum? it ran on a CS-406 in Franklins office and it got completely murdered when more than 5 people were browsing it! Does the Diskstation (or in that case a Cubestation) seem to be the most ideal device for hosting a webserver?

I'm not doing anything illegal to your box

Do you really believe that? truthfully? A court of law would of course say otherwise as it is unauthorised access to electronic systems.

Netboot/HarryPotter: If I have overstepped any marks, please feel free to nuke this post and send me a message.

[HarryPotter]

Netboot/HarryPotter: If I have overstepped any marks, please feel free to nuke this post and send me a message.

Beside that I cant find the word "nuke" in my dictionary : I cant see why we should.
On the contrary I agree with most of your ideas.

Its always the same dilemma: if they dont bring out new functions, one half of people are complaining, if they increase the possibilities of the system but let everything in a basic stage, the other half will cry out.