robybret - Fotolia

Synology cloud sync vulnerability exposes OS X systems

A vulnerability in a cloud sync application was disclosed this week that could allow hackers to gain control of OS X systems.

A cloud sync application vulnerability was disclosed this week that could allow hackers to gain full control of Apple OS X systems.

The vulnerability was discovered in Synology's Cloud Station client for OS X. The application allows users to sync their files between numerous devices, such as PCs, smartphones and tablets, via the cloud. However, according to the Computer Emergency Response Team (CERT) at Carnegie Mellon University's Software Engineering Institute in Pittsburgh, the product's OS X cloud sync client features a default permissions flaw that allows a user to change the ownership of system files on the connected devices and gain complete control over those devices.

"A local standard OS X user may gain ownership over arbitrary system files, which may be leveraged to gain root privileges and fully compromise the host," the CERT advisory stated.

The CERT advisory gave the Synology vulnerability a 6.8 on the Common Vulnerability Scoring System (CVSS), which is considered "moderate." A 7.0 to 10.0 vulnerability is rated as "severe."

Synology released a new version of the client that corrects the vulnerability, which affects the Cloud Station sync client between versions 1.1-2291 and 3.1-3320. CERT recommended that Cloud Station users update their clients to version to version 3.2-3475 or higher as soon as possible.

Synology, a Taiwanese storage vendor, introduced Cloud Station for MacIntosh systems in 2012. The product acts as an alternative for public cloud storage services like Dropbox and Google Drive by enabling users to create their own private cloud through a Synology NAS appliance and conduct secure data synchronization across multiple devices via the Cloud Station client.

In addition to the Cloud Station flaw, Synology also patched another vulnerability in its Photo Station application. The command injection vulnerability, which was discovered by Dutch software security firm Securify Inc., could allow malicious actors to compromise Synology's DiskStation NAS systems. Synology released an update for Photo Station and recommended updating the application to version 6.3-2945 to patch the flaw.

Next Steps

Find out how the NetUSB router vulnerability put millions of devices at risk

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices