CVE-2024-47264
📋 TL;DR
This path traversal vulnerability in Synology Active Backup for Business allows authenticated administrators to delete arbitrary files on the system. It affects all versions before 2.7.1-13234, 2.7.1-23234, and 2.7.1-3234. Attackers with admin credentials can exploit this to delete critical system files.
💻 Affected Systems
- Synology Active Backup for Business
📦 What is this software?
Active Backup For Business Agent by Synology
Active Backup For Business Agent by Synology
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical OS files, configuration files, or backup data, leading to system instability, data loss, or service disruption.
Likely Case
Targeted deletion of specific files to disrupt operations, delete evidence, or remove security controls, potentially enabling further attacks.
If Mitigated
Limited impact if proper access controls and monitoring are in place, with only authorized administrators able to exploit and logs capturing the activity.
🎯 Exploit Status
Exploitation requires administrator credentials. The unspecified vectors suggest the exact method isn't publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.1-13234, 2.7.1-23234, or 2.7.1-3234
Vendor Advisory: https://www.synology.com/en-global/security/advisory/Synology_SA_25_02
Restart Required: Yes
Instructions:
1. Log into DSM as administrator. 2. Open Package Center. 3. Find Active Backup for Business. 4. Click Update if available. 5. Alternatively, download the latest version from Synology's website and manually install. 6. Restart the service or system as prompted.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit the number of administrator accounts and implement strict access controls.
Monitor File Deletion Events
linuxEnable auditing for file deletion operations on critical paths.
🧯 If You Can't Patch
- Implement strict least-privilege access controls for administrator accounts
- Enable comprehensive logging and monitoring for file deletion activities
🔍 How to Verify
Check if Vulnerable:
Check the Active Backup for Business version in DSM Package Center. If version is below 2.7.1-13234, 2.7.1-23234, or 2.7.1-3234, the system is vulnerable.Check Version:
Check via DSM web interface: Package Center > Installed > Active Backup for BusinessVerify Fix Applied:
Confirm the installed version is 2.7.1-13234, 2.7.1-23234, or 2.7.1-3234 in Package Center.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events from Active Backup processes
- Administrator account performing unexpected file operations
Network Indicators:
- HTTP requests to Active Backup endpoints with path traversal patterns
SIEM Query:
source="synology" AND (event_type="file_delete" OR action="delete") AND process="activebackup" AND path CONTAINS ".."