CVE-2024-29241
📋 TL;DR
A missing authorization vulnerability in Synology Surveillance Station's webapi component allows authenticated users to perform unauthorized actions. Attackers can read non-sensitive information, write sensitive DSM configurations, and reboot or shutdown NAS devices. This affects Synology Surveillance Station versions before 9.2.0-9289 and 9.2.0-11289.
💻 Affected Systems
- Synology Surveillance Station
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could reboot or shutdown critical NAS systems, causing service disruption, and modify sensitive DSM configurations to enable further attacks or persistence.
Likely Case
Authenticated users (including compromised accounts) can access unauthorized information and modify system configurations, potentially leading to privilege escalation or system disruption.
If Mitigated
With proper access controls and network segmentation, impact is limited to authorized users within the isolated network segment.
🎯 Exploit Status
Exploitation requires authenticated access but no special privileges. Attack vectors are unspecified in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.2.0-9289 or 9.2.0-11289
Vendor Advisory: https://www.synology.com/en-global/security/advisory/Synology_SA_24_04
Restart Required: Yes
Instructions:
1. Log into DSM as administrator. 2. Open Package Center. 3. Find Surveillance Station. 4. Click Update if available. 5. Alternatively, download the update from Synology's website and manually install via Package Center > Manual Install.
🔧 Temporary Workarounds
Restrict Network Access
allLimit access to Surveillance Station web interface to trusted IPs only.
Implement Strong Authentication
allEnforce multi-factor authentication and strong password policies for all Surveillance Station accounts.
🧯 If You Can't Patch
- Isolate affected NAS devices from internet and restrict internal network access to authorized users only.
- Implement strict access controls and monitor for unauthorized configuration changes or reboot attempts.
🔍 How to Verify
Check if Vulnerable:
Check Surveillance Station version in DSM Package Center or via SSH: synopkg version SurveillanceStationCheck Version:
synopkg version SurveillanceStationVerify Fix Applied:
Confirm version is 9.2.0-9289 or higher, or 9.2.0-11289 or higher.📡 Detection & Monitoring
Log Indicators:
- Unauthorized configuration changes in DSM logs
- Unexpected system reboots or shutdowns
- Unusual webapi access patterns in Surveillance Station logs
Network Indicators:
- Unusual HTTP requests to Surveillance Station webapi endpoints from authenticated users
SIEM Query:
source="*synology*" AND (event="reboot" OR event="shutdown" OR event="config_change") AND user!="admin"