Synology Surveillance Station Vulnerabilities Expose Systems to Attack – Update Immediately

Security researchers at Synology have released a critical security advisory detailing multiple vulnerabilities in their Surveillance Station software. These weaknesses, if left unpatched, could provide malicious actors with alarming access to sensitive systems and data.

Image: Synology

Affected Software:

• Surveillance Station for DSM 7.2
• Surveillance Station for DSM 7.1
• Surveillance Station for DSM 6.2

Vulnerability Breakdown

Among the discovered vulnerabilities, CVE-2024-29228 and CVE-2024-29229, both scoring a CVSS3 Base Score of 7.7, highlight missing authorization vulnerabilities in the GetStmUrlPath and GetLiveViewPath webapi components, respectively. These flaws could enable remote authenticated users to gain access to sensitive information through unspecified vectors.

Notably, CVE-2024-29241, with a CVSS3 Base Score of 9.9, signifies a critical missing authorization vulnerability within the System webapi component, potentially allowing unauthorized users to bypass security measures entirely.

Furthermore, a series of SQL Injection vulnerabilities have been identified across various components, including Layout.LayoutSave, SnapShot.CountByCategory, and Alert.Enum, among others, each bearing a CVSS3 Base Score of 5.4. These vulnerabilities expose the system to SQL command injections by remote authenticated users, exploiting the improper neutralization of special elements within SQL commands.

Particularly concerning is CVE-2024-29240, which presents a missing authorization vulnerability in the LayoutSave webapi component, facilitating potential denial-of-service attacks.

Why These Vulnerabilities Matter

Synology Surveillance Station is widely used by individuals, small businesses, and larger organizations for video monitoring and security. The discovered weaknesses could have far-reaching consequences, including:

• Data Theft: Sensitive video footage and associated metadata could be compromised, potentially exposing personal information, business activities, or security protocols.
• System Takeover: Attackers could gain full control over the Surveillance Station and connected cameras, potentially using them for further malicious activity within the network.
• Disruption of Critical Services: Denial-of-service attacks could render surveillance systems inoperable during critical times, hindering a timely response to security incidents.

Urgent Action Recommended

Synology has released fixed versions of the affected software (Surveillance Station 9.2.0-11289 or above). Users are STRONGLY advised to take immediate steps:

1. Update Surveillance Station: Apply the latest security patches as soon as possible. You can find instructions on Synology’s official website.
2. Review Security Practices: Take this opportunity to reassess your overall security posture. Consider implementing stronger access controls, firewalls, and network segmentation to minimize the attack surface in the future.