CVE-2024-39348
📋 TL;DR
This vulnerability allows man-in-the-middle attackers to execute arbitrary code on Synology routers by exploiting AirPrint functionality that downloads code without proper integrity checks. It affects Synology Router Manager (SRM) users with vulnerable versions, potentially giving attackers full control of affected routers.
💻 Affected Systems
- Synology Router Manager (SRM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of router with persistent backdoor installation, allowing traffic interception, credential theft, and lateral movement to connected devices.
Likely Case
Router compromise leading to DNS hijacking, credential harvesting, and network surveillance of connected devices.
If Mitigated
Limited impact if AirPrint is disabled or network segmentation isolates the router from untrusted networks.
🎯 Exploit Status
Requires man-in-the-middle position between router and AirPrint server, but no authentication needed once position achieved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SRM 1.2.5-8227-11 or 1.3.1-9346-8 and later
Vendor Advisory: https://www.synology.com/en-global/security/advisory/Synology_SA_23_16
Restart Required: Yes
Instructions:
1. Log into SRM web interface. 2. Navigate to Control Panel > Update & Restore. 3. Check for updates. 4. Apply available update to SRM 1.2.5-8227-11 or 1.3.1-9346-8 or later. 5. Reboot router when prompted.
🔧 Temporary Workarounds
Disable AirPrint
allTurn off AirPrint functionality to remove attack vector
Network Segmentation
allIsolate router management interface from untrusted networks
🧯 If You Can't Patch
- Disable AirPrint functionality immediately
- Implement strict network segmentation and firewall rules to limit router exposure
🔍 How to Verify
Check if Vulnerable:
Check SRM version in Control Panel > Info Center > DSM/SRM VersionCheck Version:
ssh admin@router 'cat /etc.defaults/VERSION'Verify Fix Applied:
Verify version is SRM 1.2.5-8227-11 or 1.3.1-9346-8 or later📡 Detection & Monitoring
Log Indicators:
- Unexpected AirPrint-related downloads
- Unusual process execution from AirPrint service
- Failed integrity checks in system logs
Network Indicators:
- Unusual outbound connections from router to unknown servers
- Man-in-the-middle activity between router and AirPrint servers
SIEM Query:
source="synology-router" AND (event="airprint_download" OR process="airprint")