There is a vulnerability in some versions of Synology’s Cloud Station client for OS X that can enable any user to take over system files and gain complete control of the machine.
Cloud Station is a system that allows users to sync files across a number of devices. The system saves changes to files on each of a user’s devices, and in offline mode will sync the changes as soon as the user reconnects to the Internet. Researchers discovered that the OS X client used in this system has a vulnerability that can cause serious problems.
“The Synology Cloud Station sync client for OS X contains an executable named client_chown that allows users to change the ownership of files. However, by default, it is installed as a setuid root executable. This allows any user the ability to change ownership of arbitrary system files, which may be leveraged to gain root privileges and fully compromise the host,” an advisory from CERT at Carnegie Mellon University says.
The vulnerability affects Cloud Station OS X client versions from 1.1-2291 up to 3.2-3475. Synology has released a new version of the client that fixes the vulnerability.
“We have removedclient_chown in the latest build (3.2-3475) as precaution, even though the impact is concluded to be very low. Theclient_chown tool was originally designed to ease the upgrade process of the Cloud Station client, and was included starting from build 2291. To achieve this purpose, client_chown was able to change the ownership of certain system files that belong to Cloud Station client,” the company said.
Synology also has fixed a separate command-injection vulnerability in its Photo Station application that could lead to an attacker being able to compromise a NAS device.
“A command injection vulnerability was found in Synology Photo Station, which allows an attacker to execute arbitrary commands with the privileges of the webserver. An attacker can use this vulnerability to compromise a Synology DiskStation NAS, including all data stored on the NAS,” an advisory from Securify says.
“Photo Station calls other Synology applications (eg, /usr/syno/bin/synophoto_dsm_user) using operating systems commands. It was found that Photo Station does not properly sanitize user input and as a result attackers can inject their own systems commands that will be executed by Photo Station. In particular this issue can be exploited via de description POST parameter.”