Synology and the NAS-ty malware-flingers: What can be learned The recent Synology Synolocker issue should serve as a splash of cold water to any vendors in the tech industry that design and sell systems that are largely unattended or unmanaged. As described in The Reg yesterday, Synology NAS boxes are being hit by a Cryptolocker-like piece of malware dubbed Synolocker. Like Cryptolocker …
It will be expensive for Synology to improve their security, but they found the money for the new GUI on DSM v5 which has received "mixed reactions" (to put it politely). Setting up non-standard port numbers etc, should be an easy task and part of the default setup. El Reg readers are probably happy going to the command line, but that's too hard for most people. Besides, many would make the (wrong) inference that if it mattered the option would be in the GUI.
Synology aren't just selling to IT professionals but to people who want Synology NAS as a "just works" commodity for their home office. Many here would say that's naive of the users. But all the emphasis on EZ-Connect etc indicates many Synology customers don't understand port forwarding etc. Synology needs to find a way of saving the average user from themselves and the risks of attaching all your data to the internet. BTW I'm not criticising ordinary users, I'm a psychologist not an IT professional. I've made my fair share of security screw-ups.
I can't say I completely disagree. At the same time, the balance between security and usability is still something tech companies are pouring research dollars into.
I personally can't claim to have all of the answers. Some, yes, but certainly not all. I think any among us who did try to claim that would be a fool; if they had the surefire answers, they'd be a mad billionaire.
So absolutely there needs to be a refocus on security within Synology. I'd like to be among the first to pound on the table about this. But this has to be balanced with usability and perhaps that means that - for now - we can't have both.
For now, at least, security is a shared responsibility, whether you're using a Synology NAS, a Supermicro IMPI controller, a Dell thin client or an HP display management computer. Systems that are largely unattended and unmanaged still need TLC. It sucks, but it's the state of technology today.
What really needs to happen is a lot of the smaller players need to get together and pool their resources into helping solve the problems to hand. A great example would be the Application Layer Gateway firewall I want. That's a beefy requirement. It take a log of RAM and a lot of CPU, at least when you're talking in the context of IoT devices.
A baseband management controller, or a low-end ARM NAS, or even your average display management computer is going to have trouble handling a proper one. Throw on monitoring, reporting, communications, etc...suddenly we start getting into the realm of a Big Ask for such small equipment.
So I think real research is required how. How can we do more with less? How can we shrink the requirements of some of this stuff so that we stay within the power/parts/price limits for that product category but still maintain both usability and security?
As I said above, I certainly don't have all the answers. I wish I did.
I could use the billions.
@Trevor I think your analysis is very fair. I'm glad you're talking to Synology and hope you get them to refocus on security. I've seen them extend a lot of features. From a business perspective I can see the drive to keep up with competitors offering x, y and z.
The problem with enhancing security is that it doesn't really sell as an EXCITING feature - not until something goes wrong. Right now I'd pay Synology £100 for this problem to go away. Would I have paid that premium at the start of the year when I bought two Synology NASs? I honestly don't know... probably not. In that sense users like me are part of the problem. That's also why the people behind this attack will probably find it quite profitable.
Synology are aiming their top gear with HA redundant systems at higher end SMBs. The problem is they run the same interface as the low end home user boxes. So a high end system presents you with an ITunes server, photo server when you are trying to use it as a perfectly reasonable SAN.
I spoke to them a while back about their website being way to home-user focussed when they sell some reasonable SMB kit and, fair play to them they tidied it all up very quickly and looks a lot better.
However I think they should separate their products into Home and Business products with more focus on the security, reliability etc on their Business products without all the default apps installed and a more technical set-up.
"However I think they should separate their products into Home and Business products with more focus on the security, reliability etc on their Business products without all the default apps installed and a more technical set-up."
I disagree there - yes, a home/business split may make sense for other reasons, but why would you weaken the security on either? If anything, I suspect the home market may need better security, since it's less likely to have other defences in place like a VPN for remote access, centralised password storage and expiry...
"...why would you weaken the security on either?"
I never mentioned purposely weakening security? However a Business user doesn't need the ton of apps,'cloud' access and easy firewall tunnelling that a home user might.
Whereas a home user might say "I really want super-media server installed, every other NAS has it", Synology could add it but not include it, as standard, in their business build as it could have an unknown vulnerability or provide another means of attack. Therefore each part of the business line would be considered against minimising attack vectors rather than fancy features.
It would also extend to stable releases, well tried and tested, with just security updates and stability enhancements as updates rather than the continuous stream of updates that a home user might get to keep synology competitive in that market. Full stable releases getting pushed out every year or so.
It's a different thinking and use case for business products as opposed to home products and by default the more apps, the more you use shortcuts to make things easy for non-tech people the weaker the security will be.
"Setting up non-standard port numbers etc, should be an easy task and part of the default setup. El Reg readers are probably happy going to the command line, but that's too hard for most people."
It may not be part of the default setup but changing the important port numbers for this vulnerability (5000 and possibly 5001) is simple from the GUI. Just go to the control panel and change them.
Actually, it is considered by most experts to be an important part of defense in depth. It eliminates 80%+ of the attacks in a single move. The rest of the attacks then must be dealt with by other means...but it would prevent the current crisis, as the existing malware only looks at default ports.
Sometimes, obfuscation is all that's required. Other times, you need more. But don't discount the value of obfuscation when so many attackers are just plain lazy.
Re: obfuscation
Using non-standard ports and usernames is definitely part of security, as a whole. Maybe not too interesting for people deploying heavy-duty firewalls and IDS boxes but important none-the-less.
This malware targeted Synology devices specifically. How did it do that? The answer is that is found them by scanning for default open ports.
Changing ports may not be much security against a targeted attack, but it can go a long way to prevent you being a target in the first place!!
Port scanner are as old as the TCP/IP network itself - it takes very little to check what ports are open and which services sit behind them.
Also, if you plan to manage/use your system from the Internet, you may need to manage/use it from networks that won't let arbitrary ports used for external connections. For example any sensible company firewall/proxy will let only HTTP connections to ports 80 and 443 to external servers (unless there are good reasons to allow for other specific ports to specific IPs), not to any port of your choice,
IMHO the only way to protect these systems is to access them only via a properly secured and authenticated tunnel. The whole IoT is doomed to fail if companies want devices directly accessible over the Internet to pump user data out of them. I would not let any device of mine to be publicy accessible unless it is designed to be like my own web site - and even then it will be properly isolated from the main internal network.
Having looked at the available Bells and Whistles apps for the Synology NAS I kept coming back the thought "but why would you put that on something which by design has a lot of your valuable data/backups?" I can see the sales people screaming can it make coffee yet!? while the guys responsible for the backbone NAS functionality are busy freshening up their CV and broadening the Linkedin profile to pay the rent. It will end in tears, someone has lost sight of a main drive for NAS, secure file storage and backup.
If you want Joomla/Moodle/MediaWiki etc. install a hypervisor on a box somewhere and get to know TurnkeyLinux, assume something will get hacked or broken and keep them contained to limit the blast radius. Don't keep putting your Kinder, chicken and Fabergé in the same basket.
So regarding Fail2Ban - it does have crude "block repeated login attempts" in the "AutoBlock" section of the control panel. Set how many times an IP can fail to login and it'll block the offending IP address, indefinitely if need be. I'd remote into the device to check the exact settings, but I've disabled that for now :-D
I agree though, the "everything via port 5000" is possibly the worst idea they could come up with.
However, if it's the process itself that's vulnerable (something I don't think anyone knows yet), you might not even need to attempt to log in order to exploit it - it might just require the right sort of data squirted at it - in which case IDS-ish tools like fail2ban won't help you, likewise for a rate-limiting firewall.
Even if it did require a valid login, the last two NAS units I set up had SSL turned off out-of-the-box and required enabling options in the GUI to mandate it (granted that was 2yrs ago) so even with better defence mechanisms there might still be a lot of creds going over in the clear.
A VPN setup should still be the preferred approach before you can even try authenticating to the NAS services.
Fail2Ban is capable of more analysis than simply "block X number of failed logins". That just happens to be the only thing most people use it for. :)
Also: Fail2Ban wouldn't have stopped this attack, but it would stop many others. And my point here is "defense in depth." That there are layers that need to be here. I would, for example, configure Fail2Ban - or the auth system it protects - to reject any root or admin-priv user if that user was logging in from anything excepting the local subnet. Very important...
I agree with the basic ideas expressed in the article, but would suggest the first step is for Synology to actually spend some time (or even <gasp> money) communicating and responding to their user base. As a Synology NAS user I've given up on any support whatsoever from them for anything whatsoever, their forums are a joke, their e-mail support laughable. It may be that an Enterprise contract is necessary for anything to happen, my experience is that they do not care a jot about the average user.
I also agree with a previous poster over the waste of money that is the new DSM interface, its not much better or worse than the previous interface, but perhaps the money could have been better spent on supplying security or decent functionality.
Their priorities seem somewhat wrong.
The vulnerability that is being exploited was patched in December 2013.
http://forum.synology.com/enu/viewtopic.php?f=108&t=88770
Admittedly, it's "based on their current observations" but does suggest that this is an old vulnerability - there have been numerous patches and updates since then, so it would appear that these are old and unpatched systems.
While I'm appalled at the fact that I've not had an email notification from Synology, I think this article is a little harsh: it would appear to me that Synology has done fairly well in terms of patching and updates. The newer DSM versions are also fairly proactive about emailing me when updates are available.
I didn't know about any vulnerability in Syno. I mean aside from the standard "Update your NAS now" emails which tell of bug fixes, not what the bugs are and how they're being used.
Had mine front facing on the net for a while without any problems (touch wood). I don't pretend to know anything the Linux code or how to use the shell.
I disabled the admin account and created a new one. I have SSH turned off. I have SSL turned on and auto-redirected. I have auto-block IP on 2 password fuck-ups.
Am I doing everything right?
It shouldn't have happened. No argument.
But why the laser like targeting on Synology? Which appears to be far more aggressive than previous reporting for:
Onity
Sony
eBay
Yahoo
Target
Orange
Microsoft
Apple
OpenSSL
Adobe
Dell
etc..etc..
You could at least slap all of them equally for their incompetence over the years.
They've all had the ire shone on them at some point, but Trev has made it clear that he's pretty invested in the Syno stuff in the past for when it's suitable and that he likes it, so it's fairly straightforward to see why someone who is
familiar with the ecosystem,
has contacts at the company,
and has a journalistic outlet
would make more noise over it than for other companies such as Apple, Adobe etc, where I'm not aware of any Reg journos having direct contacts there they can press (or who would be in a technical position, as a live techy on those products, to proffer such advice).
if you see what I mean?
I think he was listing brands with security issues, couldn't find an article on a QNAP security cockup (other than OpenSSL which everyone suffered).
Not that they will be without issues, and I bet they will be doing even more audits and tests in the light of current news...
I was warded off QNAP by a few reports on the old interwebs suggesting they are great at adding new features, but shit at backporting security fixes to older versions of their OS, and backporting the OS to older hardware (IE DSM 5 runs on most of their range, IIRC)
Survey of one, apocryphal tales etc, but that's why I went with Synology in the end - they do seem to keep the older stuff actively supported longer.
You could also argue that by forcing you to use the latest version of the OS it makes it easier for them to support. Heck even Microsoft limit what they support and they're massive in comparison. I've had my QNAP since 2008 and it still runs the latest OS and is thus supported. I'll settle for that.
I block on 3 wrong passwords within 5 minutes - and I've had loads of blocks just recently, mostly from China, although whether that's the actual source or a re-routed from elsewhere I don't know. As with Mr Jordan, my admin account has been changed and has a very strong password. I'm not a fan of the DSM 5 interface, personally I really don't like the current Metro-like flat, lifeless, featureless 2D tiles that seem to be everywhere in IT these days.
I got my wife to take mine off the web first thing as a precaution and will check it out tonight. I really like Synology kit, mine's a 2-drive 3 or 4 year old now. Will be getting another one for my home lab soon.
Going from the Syno forum post, the CVE behind this exploit appears to be this one:
http://www.rapid7.com/db/modules/exploit/linux/http/synology_dsm_sliceupload_exec_noauth
No authentication required, dumps a file on the local system and then executes it as root apparently. Do the synology web services run as root?! Seriously... that's like eggs 101, Woodhouse.
1) Log in via SSH to The Little Company Box running DSM 5-0.4493 Update 3
2) ps -w
6601 http 308m S /usr/bin/httpd -DSSL -DSPDY
6638 root 18064 S < /usr/bin/httpd -DSSL -DSPDY -f /etc/httpd/conf/httpd.conf-sys
6640 root 17324 S /usr/bin/httpd -DSSL -DSPDY -f /etc/httpd/conf/httpd.conf-sys
6649 root 137m S < /usr/bin/httpd -DSSL -DSPDY -f /etc/httpd/conf/httpd.conf-sys
Hmmm...... does the webserver UPGRADE its UID to root or what?
I've had a Synology for a while now and have often wondered if the team at Synology have a clue about half of the stuff that they put on the NAS.
One point in general was when I was trying to setup NFSv4 introduced with V5, my 213+ doesn't support Kerberos so I looked into setting it up without, after a while of reading one of the steps to setup NFSv4 without Kerberos is that both the NAS & connecting workstations must be in the same domain, after a support call to Synology to say I couldn't couldn't set up a *nix domain on the NAS they asked me to install a patch without any explanation of what it did, so I stuck with NFSv3
When the next DSM 5 update released a field was added to allow the setting of this crucial field for the newly touted NFSv4 functionality to work.
Isn't it a conflict of interest for Trevor to report on Synology while touting their gear to his own customers? Obviously he wouldn't want them to go bust. What exactly is his interest in the company?
My only interest is curiosity and a distaste for shoddy products. I hope Synology gets taken to court for negligence.
"Isn't it a conflict of interest for Trevor to report on Synology while touting their gear to his own customers? Obviously he wouldn't want them to go bust. What exactly is his interest in the company?"
I am not entirely sure why it would be a conflict of interest to report on Synology while selling it to my customers. I sell Microsoft software and services to my customers too, and I tear them a new arse every other day. Any vendor is disposable, and - to be perfectly blunt - I don't make my living selling computers. I keep my hand it in because doing so allows me to keep a presence at the coalface of IT, making sure my skills stay sharp and that I have knowledge and experience relevant to the IT companies I report on.
What might represent a conflict of interest - but I honestly feel does not - is that i am currently engaged with Synology on a very narrow contract to provide them a VMworld booth demo. This demo consists of a Supermicro FatTwin server, A Supermicro Switch and a Synology RackStation all configured to run various workloads that stress the Synology storage. The contract is very narrowly defined, and I have no other role (such as ongoing consulting, etc) beyond that specific deliverable.
Given the voluminous red tape that is Synology's internal marketing spend processes, there is zero reason to believe I would get another contract from them. So, being frank, there is no incentive on my part to be nice to them. I have a fixed contract that says "I gets my money if I deliver the goods" and there's nothing in there about not pissing off the natives.
And I piss off the natives rather a lot. They weren't exactly happy I ran a pair of pieces that said, in essence, "Synology made mistakes and needs to reorganize themselves internally and spend a stonking huge pile of money to make things better in the long run."
I've never tried to hide who I am working with. You can always find out information about my open-ended engagements at http://www.trevorpott.com/about/ under "disclosure".
I don't list narrowly focused, fixed-deliverable contracts unless those contracts compel me to advocate on behalf of a client. Once more being blunt: I get so many jobs creating whitepapers, blogs, demo videos, booth demos and so forth that the fixed-deliverable stuff all blurs together. They don't make me any more or less happy about a company.
A great example is Microsoft. They gave me a free year of MSDN so that I would be able to have licences to write about their software. Didn't make me any more charitable towards them.
VMware ensures I have a suite of the latest licenses, if you read my writing over at SearchVMware, I don't exactly pull punches with them either...and the VMware licenses I get are enough to run my lab.
Bottom line: if there is ever something I - or any of the circle of professionals I trust to help me make these judgements - feel presents the possibility for conflict of interest, that will be listed in the disclosure section of my personal website for all to see.
In the meantime and betweentime, I will report on anything interesting I turn up - positive or negative - with as little personal bias as I am capable of demonstrating. I will also use and abuse any and all of my contacts within every vendor I can to advocate on behalf of "the little guy": the end customer, end user and the sub-1000 seat SMB.
As regards Synology, this means using all my connections there to try to get them to take a more serious approach to security. But I don't give Synology any more of a break than I would any other company.
Well, except Ninite. They get a free pass no matter what. But I'm allowed to be an unashamed fanboy of at least one company, aren't I?
But not -2454, because 2454 has the same date and time as 2254, 2255, and 2255, and not 2257, because that is Earlier than 2255, not Later. No, you want 2262 or 2263, because those are Later than 2259, as well as being Greater than 2259, though Lesser than 2454.
Although ACTUALLY, for most hardware, the last version of DSM 4.0 was DSM4.0-2228
> http://ukdl.synology.com/download/DSM/4.0/ <
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
