The network-attached storage company Synology has warned its customers of the security flaws existing in the Netatalk protocol. The Netatalk protocol is being used to imitate AppleShare file servers for macOS client devices by running *NIX/*BSD. The vulnerabilities were first discovered in the Pwn2Own 2021 hacking contest. They were fixed by the Netatalk development team on the 22nd of March 2022 by releasing the 3.1.13 version.
Four vulnerabilities with CVSS 9.8 score
Netatalk has fixed the issues more than one month ago but Synology devices are still vulnerable
The critical security flaws, which can be tracked as CVE-2022-23121, CVE-2022-23125, CVE-2022-23122, and CVE-2022-0194, allow unauthenticated attackers to remotely execute arbitrary code. All of the vulnerabilities related to this issue are rated at 9.8 on the CVSS scale; meaning the vulnerabilities are critical and unpatched devices are in great danger. Those vulnerabilities are fixed on DiskStation Manager (DSM) 7.1; but the devices with DSM 7.0, DSM 6.2, VS Firmware 2.3, and SRM (Synology Router Manager) 1.2 remain unpatched.
Synology states that the development of the patch for the exposed devices is ongoing. The company generally fixes the security problems within 90 days after their advisory. If that’s to happen, the devices will remain exposed for while. The company did not provide any mitigation yet as well. Synology asks the customers to reach them via their support page if they want immediate assistance. You can follow the link below to ask for assistance with the unfixed critical vulnerabilities that allow remote code execution on your device:
Click here to reach Synology for assistance
Edit: Synology has reached us as they added a mitigation method. Here, you can read below:
« Netatalk provides file access through AFP (Apple Filing Protocol) on DSM. This service has been disabled by default since DSM 7.0. We recommend using SMB protocol instead when connecting from macOS.
For Synology systems not yet upgraded to DSM 7.1-42661-1 or newer, administrators can disable “AFP service” to mitigate this specific vulnerability. In environments where AFP is still needed, setting up firewall rules to only allow trusted clients to connect over AFP (port 548) can be used as temporary mitigation »