In an earlier post to my personal blog as well as to this blog, I enthusiastically recommended the Synology CS407 NAS as a data storage/backup platform. I am now taking that recommendation back.
Let me just say this: it seemed like a good choice at the time, and, if I could have trusted the vendor to deploy the software on it properly, it might still be. Here is a short summary of some of the issues I found:
You can skip to the full report here: A Security Audit of the Synology Disk Station Manager (DSM) v2.0-0590 Firmware.
What follows is a complete retelling of how I got here, sort of a lesson in vulnerability disclosure (not so much discovery, you’ll see why). It’s not pretty, I didn’t do all the right things, and it’s kind of long.
I had a lot of free time over Spring break (read: no money to travel anywhere) and so I decided to start “kicking the tires” of the Synology CS407 I owned. My jaw dropped when I got this first nmap scan back:
PORT     STATE SERVICE    VERSION 80/tcp   open http       Apache httpd 2.2.3 ((Unix) mod_ssl/2.2.3 OpenSSL/0.9.7e PHP/5.2.0) 139/tcp  open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 443/tcp  open http       Apache SSL-only mode httpd 445/tcp  open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 515/tcp  open printer 548/tcp  open afpovertcp? 3306/tcp open mysql      MySQL (unauthorized) 3493/tcp open tcpwrapped 3689/tcp open http       mt-daapd httpd 0.2.4 5000/tcp open http       Apache httpd 2.2.3 ((Unix) mod_ssl/2.2.3 OpenSSL/0.9.7e) 5001/tcp open http       Apache SSL-only mode httpd 5432/tcp open postgresql PostgreSQL DB 50001/tcp open tcpwrapped
It only got worse when I ran Nessus. And then worse when I got a shell and started poking around the filesystem. Get this: every application on the box is running as root! And all the web apps are written as compiled binaries running in CGI… with root privileges! As a friend in the lab described it, “1996 called, it wants its web technology back!” They weren’t even making it difficult.
This is where things got interesting. I looked around and there isn’t any formal security contact or even a public bug tracker (and they call themselves a Linux vendor!). I’m thinking maybe I can save myself some trouble and get this solved informally, so I made this really scary sounding post on their user support forums with just the results of that nmap scan. I also submitted a technical support request at the same time, pointing to the forum post. Best idea? No. But it was easy. I really didn’t want to write a formal report and submit it. I’m not getting paid for this, and frankly, I’m kind of pissed off that I bought this thing and that I’m stuck with it now.
Two moderators immediately replied to my forum post claiming that there were no security vulnerabilities and that security vulnerabilities were the price we pay for having the coolest NAS out there. I thought these were official representatives of Synology at first and was ready to make a post to full-disclosure after reading their replies.
Then an official response came back from their tech support: log in to the box over SSH (which they don’t provide, I had to hack it to turn it on) and turn off the affected services. They also recommended I put the box behind a firewall… This is why you’re supposed to have a security@ contact, so people like me don’t get stuck with non-tech and sales staff. I said a few specific things in my reply to get my concerns in front of the right people:
- Ask for this issue to be escalated to a product manager
- Explain the risks they were putting themselves and their customers under
- Explain what would happen if they didn’t respond to my concerns (full-disclosure)
- Included a PDF of a very early draft of my report
That worked. 3 days later I got a response from Synology (still their sales staff) indicating that more than half of the vulnerabilities I pointed out would get fixed in a new release of the firmware due out in 60 days. They denied a number of vulnerabilities, which I explained further and sent back to them.
Then I didn’t hear from them for 9 days. Apparently, my emails were getting stuck in their spam filter (again, vendors, please set up a security@ e-mail)! This went back and forth for a bit and I’ve moved about 90% of the issues into the next release! A handful of more architectural issues were pushed back until a release 6 months in the future. You can’t win them all, but at least they are aware of the issues now.
Back on the forum, I had been getting fairly actively involved by answering security questions from other users. Some intelligent people saw what I was saying and came to my defense when the fanboys attacked what I was saying about their precious devices. Two people even posted that they had delayed or reconsidered buying Synology products because of this discussion! It was really great to hear that, both as vindication that what I was saying was important and that Synology’s management had to take me seriously now. They were actively losing customers due to poor development practices.
How they reacted to this really isn’t surprising in hindsight: they moved all my posts to a separate, special forum, away from potential and current (but mostly potential) customers. Then their moderators started getting fed up that people were still talking about security issues they thought were irrelevant and resorted to character attacks and flaming. I sent an e-mail to my contact on the sales staff that someone representing their company was acting inappropriately and their behavior might be tied back to the company. Synology responded by locking my post.
And that’s the end of that mess.
If you have a Synology product… well good luck! All the problems I found won’t be resolved until 09/2008! And even then, I’m sure there will be more security vulnerabilities. Those compiled binary CGIs are a ticking timebomb. If you don’t already own a Synology product, I suggest FreeNAS. You can install it in a VM and try it before you “buy” it. I’d really like to get my hands on one of NetGear’s ReadyNAS products… anyone with one want to let me poke around it for a bit?
Looks like you raised a storm over at the Synology website. I read half the thread and decided to build my own storage box in the time it would take me to read the other half.
But seriously, thanks, at one point I considered buying one of these.
I forget where I read this, but in the new world of PR, it is really bad to do anything negative on a Friday. It doesn’t get lost by the media because they don’t have time to write something up about it, and it isn’t old news by the time Monday comes around. Rather what happens is that the internet talks about it on Saturday and Sunday while you’re not working and you come back with a real mess in your hands on Monday.
Hi,
I followed your post very closely on the Synology forum. I do not own a Synology product and did not bother to create an account on the forum, in order to express my support for your observations. I thought that it would be obvious that your reports had to be taken seriously – which quite evidently was not so obvious, at least not to the moderators and the Synology staff.
I am sorry to see the treatment that they gave you. You have my full support.
Do you plan on reviewing any other NAS products in the future? I was very close to buying a Synology product, until I read your post. Now I am searching for another product. I have noticed your recommendation of FreeNAS, however I not sure that I want to spend the time building my own NAS. I would like a compact, sleek, silent and low power solution – and most important _secure_.
Do you have any experience with QNAP TS209 PRO or TS209 PRO II?
Do you have any other recommendations?
Best regards,
Casper
Hi Casper,
I’m sorry, I can’t give you any recommendations as I haven’t looked at any other NAS manufacturer’s devices. If I do a vulnerability assessment of another NAS manufacturer, I’m likely going to look at Netgear’s ReadyNAS product line.
Thanx for your research.
I bought some Diststations as file server and backup media. I find it quite frustrating that Synology is not updating their samba version to “recent” releases.
For me the big feature of those boxes is not the included services/applications, it’s the power consumption to price to performance balance. I’ll stick to my DSs (and will probably buy some more) – but they are not and will never be on the internet. In fact, in our network they live in their own security zone (Juniper/Netscreen) and run an updated version of samba (ipkg).
To me it was surprising from the very beginning, that somebody serious would put such a box “on the internet”. But then again, that’s what they are advertised for. In my opinion anything that runs a webserver with PHP (or any other form of cgi) is a timebomb in the hands of normal user.
I dont really share your fears about compiled CGIs (in general). Compiled or not isn’t more or less secure per se. In my eyes, the biggest problem with the compiled CGIs is that one can’t verify the source.
Regards,
Joachim
Hi,
I stumbled upon your blog while looking if it was possible to use dm-crypt with Synology products. I just wanted to tell you that I, too, am now delaying buying a CS407. Also, the way those two “honorary moderators” and fanboys treated you is definitely not good publicity for Synology, IMO.
It’s too bad they don’t allow alternative firmwares, kinda like OpenWrt for wifi routers. That would really allow to get the best of both worlds, a cool piece of hardware with open-source, up-to-date software…
Anyway, I still think I’m going to buy a CS407 (performance and feature-wise, it’s still the best thing in its budget category) but only after they release a new firmware. Thanks a lot for the warning, more people should know about this!
(Sorry if I made any English mistakes, I’m not a native speaker.)
wlof
I have a DS-207, and it works nicely enough on our home LAN. It’s behind a firewall, and the firewall has rules explicitly preventing any connection from WAN to Synology (I don’t trust the security of anything I can’t configure) or from Synology to WAN (I don’t like boxes calling home without my permission). So it’s used as a local file server, and as a local web server for home – not internet accessible.
It’s always funny to see a forum full of synology products addicted people who became suddenly blind by staring to much at them in their living room/bedroom/office…
Makes me think of people drinking and swallowing the news on mass media channels..without wondering anything about the truth and the purpose behind it.
Hard to wake up people nowadays…keep on sleeping peeps…
You have my full support and deserved way better than that on their smelly moderated forum…
Keep up the good work.
Hi Dan,
I pretty much came to the same conclusion as you did, but by different (more subjective) means. It is very difficult to implement this much functionality in such a short amount of time. This way I got suspicious and found your post. I do not believe Synology to turn things around any time soon. You did me and many people out there a BIG BIG favour. Thanks!
Speaking on the issue, I have just purchased a Readynas and hope Netgear (or should I say Infant) have taken more time to make a proper NAS instead of a feature box. Now my question towards you is:
Could you make a wiki (or perhaps just a how-to) that describes to people how you have assessed the Synology. I could get pretty far on my own but the more people involved, the better. And yes, you may poke around my Readynas as much as you like. It needs proper testing before deployment anyway:-). Still, it would be useful for many user to be able to do an audit themselves.
Most reviewers out there don’t even scrape the surface of a security audit, praising products like Synology. Now THAT pisses me off:-)
regards,
Jeroen
Great, great, great work!
Thank you VERY much!
Marco
Hi there,
I have recently been looking at buying a synology ds.
I had personally wondered what the security to be like, however I did expect it to be ok being a commercial product.
I found your not so recent post in the forums. It was interesting to find some possible issues.
I don’t think the post had the correct outcome. I didn’t like the way it was compared to everyday risked.
I’m still debating whether I should buy one or not. I have very limited knowledge of UNIX, however one thing I am warned against is running things as root unless required.
I’m not educated enough to know how bad all the flaws are; do these really hold a real world risk? Statically I think bot systems may have issues? But if it came under a direct attack then maybe things could be worse? I don’t know!?!?! Realistically how bad are these faults?
I think it has made me rethink how I’d used such a device; I need to remote access option. However I think the security I would take it to put no personal information on the device. I would use remote access for pdf files, music access and a web server.
I used to run a full linux webserver with php/mySQL. I wonder how many faults I had in the system, as I’m not too informed!
Would Windows Home Server be better
What’s the latest progress?
I am also looking to get the CS407 and was wondering whether the recent firmware released has resolved all these vulnerabilities you raised?
Hi,
What happened in the end?, did they fix the security issues you mentioned? I’m interested in getting a Synology NAS they seem to have the perfect feature set for my needs, but am not so sure now having read this article…
Thanks