Threat Advisory

Synology BeeStation Vulnerabilities Exploit Chain Enables Complete Device Takeover

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

The research reveals how three flaws in Synology BeeStation can be chained together to achieve full system compromise without any credentials. The attack begins with CVE-2024-50629, a CRLF injection weakness with a CVSS score of 7.5, where the redirect_url parameter fails to sanitize input, allowing an attacker to inject HTTP headers and force the server to leak internal files, ultimately exposing the valid system username. This leaked detail is then used to exploit a logic flaw in the authentication flow to obtain a valid access token, followed by an SQL injection in the update mechanism that is leveraged to plant a malicious cron job. By abusing cron’s fault-tolerance to run a clean command hidden within binary noise, the attacker bypasses traditional web shell techniques and weaponizes the task scheduler to gain a root shell, enabling complete unauthenticated takeover.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

The research reveals how three flaws in Synology BeeStation can be chained together to achieve full system compromise without any credentials. The attack begins with CVE-2024-50629, a CRLF injection weakness with a CVSS score of 7.5, where the redirect_url parameter fails to sanitize input, allowing an attacker to inject HTTP headers and force the server to leak internal files, ultimately exposing the valid system username. This leaked detail is then used to exploit a logic flaw in the authentication flow to obtain a valid access token, followed by an SQL injection in the update mechanism that is leveraged to plant a malicious cron job. By abusing cron’s fault-tolerance to run a clean command hidden within binary noise, the attacker bypasses traditional web shell techniques and weaponizes the task scheduler to gain a root shell, enabling complete unauthenticated takeover.[emaillocker id="1283"]

 

  • CVE-2024-50630 – An improper authentication issue with a CVSS score of 8.1 that causes the system to trust requests lacking a password, allowing login bypass using only a leaked username.

 

  • CVE-2024-50631 – An SQL injection vulnerability with a CVSS score of 8.8 in the update settings functionality that allows execution of malicious SQL commands leading to remote code execution.

 

 

The exploit chain demonstrates how small weaknesses can escalate into full system compromise when combined. Addressing each flaw is essential to prevent attackers from achieving complete control over affected devices.

RECOMMENDATION:

We strongly recommend you update Synology BeeStation to below versions:

  • Synology Drive Server for DSM 7.2.2: Upgrade to 3.5.1-26102 or above
  • Synology Drive Server for DSM 7.2.1: Upgrade to 3.5.0-26085 or above
  • Synology Drive Server for DSM 7.1: Upgrade to 3.2.1-23280 or above
  • Synology Drive Server for DSM 6.2: Upgrade to 3.0.4-12699 or above

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu