New Admin Takeover Vulnerability Exposed in Synology's DiskStation Manager

Currently reading
New Admin Takeover Vulnerability Exposed in Synology's DiskStation Manager

SynoMan

Administrator
Moderator
Founder
1,417
815
www.synoforum.com
NAS
DS720+, DS418play
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
another hair on fire nothing burger. article says it was addressed in a previous update and it only pertains to the default admin account that is disabled by default?? slow news day i guess.... heheh.
 
To gain access to the NAS from the Internet then you either have to use:
  1. VPN server on a different device, with LAN access, but doesn't use the same authentication credentials as the NAS user accounts.
  2. VPN Server on the NAS but use non-admin users to establish the connection. Or use a different user than your normal standard one; or use LDAP/Directory Server if you use local accounts.
  3. Direct access using secure services but avoid admin accounts (meaning, don't to admin management activities via direct connections).
  4. I guess QuickConnect Relay service, if you don't mind the connections being broken in Synology servers.
  5. This is a list assuming access is allowed but there's always: don't allow Internet access.
It may not be this vulnerability but there may be one coming along: it's all about minimising the risk, just in case.

My approach it direct secure connections to services for standard user accounts. For admin access it's VPN Plus to the router using a standard [DSM] LDAP Server user account* then access the NAS. You can also access the router this way too.

*my LDAP user accounts have very restricted access to anything on DSM. LDAP admin accounts are not allowed to use the VPN services.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Ye I understand, but I wanted to avoid another device (router) compared to straight plugged because I...
Replies
11
Views
1,079
  • Solved
Thank you for your help and @fredbert for the router manual .pdf sharing. Meanwhile, I could configure...
Replies
12
Views
1,702
I had disabled my admin account but that broke cloudsync, so I restored it and put in a wild/crazy/long PW...
Replies
0
Views
1,773
FYI nothing new, but still worth sharing as patching remains essential, even when we think that using VPN...
Replies
0
Views
931
  • Locked
  • Question
https://www.synoforum.com/threads/synology-nas-encryption-forensic-analysis-of-synology-nas-devices-by-elco...
Replies
1
Views
2,454
If you google 'apache hide icons folder' you will see it is due to the default setup of Apache. If you try...
Replies
1
Views
1,794

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top