Vulnerabilities: Synology, SuperMicro Motherboards

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
20,329
Location
I am omnipresent
Website
s-laker.org
I don't think we should be at all surprised that a prepackaged storage solution like a Synology NAS would have swiss cheese security. I'm kind of impressed that somebody could make that much money cryptocoin mining on a bunch of Atom CPUs.
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,101
Location
Gold Coast Hinterland, Australia
Is that only a problem if your NAS is on the internet?
That was my thought in regards to both? Why does a BMC need direct access to the Internet, and the only reason I can think of giving a NAS direct access is if has FTP or web functionality tat you wanted to explicitly expose...

Yes these sorts of things shouldn't happen, but security requires layers just like a good onion...
 

LunarMist

I can't believe I'm a
Joined
Feb 1, 2003
Messages
15,268
Location
USA
I would never connect my NAS to the internet, but perhaps some buy it for that purpose.

There are slomo for the
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
As far as I know, Synology is more of a consumer NAS, not for heavy duty professional use. It is possible that it was connected to a switch/router for internal access, inadvertently also exposing it to the Internet without intending to do so or understanding the implications. Most everything today has a web interface for managing it, and so you have the perfect recipe for something like this to happen.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,315
Location
Monterey, CA
I'm sure everyone here knows, but I'll reiterate because it deserves it. Don't expose anything to the internet. System complexity and the number of people looking for exploits have effectively made everything vulnerable by an automated process. Have a firewall that blocks all unsolicited incoming traffic in all cases.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
Many motherboards with built in BMCs tie it to the motherboard's eth0 by default. The same nic that would get plugged in at the colo.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
20,329
Location
I am omnipresent
Website
s-laker.org
As far as I know, Synology is more of a consumer NAS, not for heavy duty professional use. It is possible that it was connected to a switch/router for internal access...
For what it's worth, the Synology NAS does have some network-based file sharing features that become available if they're exposed directly to the internet. They can do WebDAV and FTP with relatively little configuration. It's definitely not out of the question that a small business would have one configured so users could access their data off-site. The one, two and perhaps even four-bay products are definitely geared to SOHO and consumer needs, but the bigger versions aren't really going to appeal to anyone but corporate customers.

Also, Synology's NAS has WAY more useful firmware than Drobo, which is really the other big name in small NAS products. I'd never voluntarily buy a Drobo again.
 

sechs

Storage? I am Storage!
Joined
Feb 1, 2003
Messages
4,698
Location
Left Coast
I will also mention that, in any company of size, there's consumer gear where there should be enterprise stuff, simply because it's cheaper or employees brought it in themselves, as they wouldn't get approval for something appropriate.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
20,329
Location
I am omnipresent
Website
s-laker.org
Of course, that also brings in to question the actual value of the enterprise stuff. I suspect a lot of places have $1000 Cisco APs that could do just as well with $50 Netgear models.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
That's is less a reflection of the value of $1000 AP the the ability of the buyer to differentiate if they need those premium functions.
 
Top