Since the 27th of February, Symantec MSS has noticed a substantial increase of inbound scans on port 5000/TCP across our global customer base. While 5000/TCP is commonly associated with UPnP (Universal Plug and Play), it's also the default port for the HTTP administration interface on Synology NAS appliances. We believe this uptick in activity is related to multiple remotely exploitable vulnerabilities in Synology’s DiskStation Manager which were recently discovered. Of the most active scanning sources, most are located within China, Brazil, and the USA.
Synology is a Taiwanese company that specializes in home and enterprise network attached storage (NAS) appliances. Synology DiskStation Manager (DSM) is a Linux based operating system used for the DiskStation and RackStation lines of NAS products.
Multiple versions of Synology DiskStation Manager Software (4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810) are vulnerable to one or more security issues or attacks, including:
- Remote command execution (RCE)
- Arbitrary file read, write, delete
- Directory traversal
- Cross-site scripting (XSS)
The more severe vulnerabilities, as documented in CVE-2013-6987 (allowing read, writing, and deletion of arbitrary data), and CVE-2013-6955(upload and execution of arbitrary code) were recently patched by the manufacturer.
A third series of less severe vulnerabilities were also disclosed in September 2013 but received no CVE information and do not appear to have been patched.
Exploiting any of these issues could allow an unauthorized attacker access to or control of both administrative functions and stored contents within a Synology NAS.
Some creative Google hacking or a quick Shodan search will reveal numerous internet facing Synology systems, many of which exhibit the vulnerabilities highlighted in this article.
- Symantec MSS is actively detecting this port 5000/TCP scanning activity.
- Synology has advised users to upgrade to the latest version of DiskStation Manager (DSM).
- Exposure of NAS appliance control panels to the internet should be limited as much as possible.