Vulnerability of OMV/Debian (ransomware)

  • In the last months you hear more and more about computers wich are infected with ransomware. It seems windows systems (e.a. CoinVault) but also linux bases systems can be infected (e.a. SynoLocker). What can be te risk with an Debian/OMV system. Is it save to say if you install all the updates asap the change of an infection will be nihil.

    • Offizieller Beitrag

    Interesting... Never heard of this, but some Googling confirmed what you're saying. I'm not sure any updates, etc.. would resolve this. It appears from my limited reading on this, it is malicious software being installed that is causing this. Just reading about Synolocker and reading what happens.. pretty crazy stuff. I remember last year when Heartbleed was making the news, Debian and OMV were already secured against it (and had been for a while) so long as you were keeping your system up to date.


    My guess is (and it is strictly that)... that the easiest way for a malicious programmer to implement this into a OMV machine, would be via the plugin system.


    IF somehow your machine did get infected.. would a format/install of the OS, resolve the issue, or would your data drives remain encrypted? Obviously the key thing, is to make sure you're installing software from trusted sources (ie, the official Debian or OMV repositories) and avoid using 3rd Party PPA's that you cannot trust, etc.

    • Offizieller Beitrag

    Just did a little more reading, and it seems the vulnerability is fixed in Synology's newest OS (DSM 5.0).. and most of these attacks are occurring on previous versions. Also, it seems it actually encrypts the data drives, rather than just the OS drive... so formatting the OS would do nothing.



    http://www.anandtech.com/show/…-of-synolocker-ransomware


    Edit: Another interesting read on the subject.. a fairly long thread on the matter in Synology's support forum.. http://forum.synology.com/enu/viewtopic.php?t=88770

  • In the case with synolocker it was a vurnability in its OS itself This is a quote from Synology about it:

    Zitat

    We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.


    The files where replaced with a encreptyd file so reinstalling the OS didn't do the trick. Synology could not decprypted also. A lot of people lost a lot of files this way.


    I can imgaine that Debian/OMV isn't a big target as the population using this software is relative higher ICT skilled and relative small. But on the other hand if it is affecting linux it isn;t hard to change the code a bit so it also effect other linux based OS i think?

    • Offizieller Beitrag

    In the case with synolocker it was a vurnability in its OS itself This is a quote from Synology about it:


    The files where replaced with a encreptyd file so reinstalling the OS didn't do the trick. Synology could not decprypted also. A lot of people lost a lot of files this way.


    I can imgaine that Debian/OMV isn't a big target as the population using this software is relative higher ICT skilled and relative small. But on the other hand if it is affecting linux it isn;t hard to change the code a bit so it also effect other linux based OS i think?


    Actually, I would think Linux (in general) would be a far juicier target than Synology NAS's. Think about it, for Linux.. the code (if properly done) could be implemented on any Linux system, not just NAS's. Desktops, Servers, etc.


    Pretty interesting situation... Be interesting if Volker weighs in on this (if he knows anything about it).. but it looks like for Synology, this has been going on since around the first quarter of this year. Just from my limited reading though, it seems hackers found a vulnerability in the DSM software (and old versions at that).. so part of the blame is on folks not keeping their systems up to date (Are all you people still running OMV .4 listening?)

  • That's right and Heartbleed showed that a lot of different distros can be affected at the same time because they all use open libraries like OpenSSL and others.
    You never get a warranty that a system is 100% secure, no matter what you are using. So it is in your hands to control your systems, keep them up to date and do not install software from unknown sources. Take care if you want to open your system to the web. I bet that a lot of Synology users had opened their NAS to the web without knowledge of how to secure that well and if you use software like torrent your IP address will be propagated to the world. And there's a lot of sick minds out there.
    If you administer corporate firewalls like I do than you can see logfiles with thousands of intrusion attempts every day.

    Homebox: Bitfenix Prodigy Case, ASUS E45M1-I DELUXE ITX, 8GB RAM, 5x 4TB HGST Raid-5 Data, 1x 320GB 2,5" WD Bootdrive via eSATA from the backside
    Companybox 1: Standard Midi-Tower, Intel S3420 MoBo, Xeon 3450 CPU, 16GB RAM, 5x 2TB Seagate Data, 1x 80GB Samsung Bootdrive - testing for iSCSI to ESXi-Hosts
    Companybox 2: 19" Rackservercase 4HE, Intel S975XBX2 MoBo, C2D@2200MHz, 8GB RAM, HP P212 Raidcontroller, 4x 1TB WD Raid-0 Data, 80GB Samsung Bootdrive, Intel 1000Pro DualPort (Bonded in a VLAN) - Temp-NFS-storage for ESXi-Hosts

    • Offizieller Beitrag

    That's right and Heartbleed showed that a lot of different distros can be affected at the same time because they all use open libraries like OpenSSL and others.
    You never get a warranty that a system is 100% secure, no matter what you are using. So it is in your hands to control your systems, keep them up to date and do not install software from unknown sources. Take care if you want to open your system to the web. I bet that a lot of Synology users had opened their NAS to the web without knowledge of how to secure that well and if you use software like torrent your IP address will be propagated to the world. And there's a lot of sick minds out there.
    If you administer corporate firewalls like I do than you can see logfiles with thousands of intrusion attempts every day.


    Pretty much exactly what you said, appears to be most of the issue. On that forum I linked above, many were pointing out an OpenSSL update that was released just prior to all this starting, and it looks like this is a Heartbleed clone. Lot of unhappy Synology customers over this one over their lack of a real response to this issue. My guess is though, there's not much they can do on infected systems, and this is almost entirely a user maintenance issue that led to them being infected by this. Some seen to be unhappy that they cannot install the new updated OS (that protects from this) on certain models, because Synology only supports models from the last 3yrs.... now if that isn't a kick straight in the nuts telling you "BUILD YOUR OWN NAS" I don't know what is. This is one reason, I just don't like the idea of buying a NAS, and would much prefer to build mine.

  • . Some seen to be unhappy that they cannot install the new updated OS (that protects from this) on certain models, because Synology only supports models from the last 3yrs.... now if that isn't a kick straight in the nuts telling you "BUILD YOUR OWN NAS" I don't know what is. This is one reason, I just don't like the idea of buying a NAS, and would much prefer to build mine.


    I believe Synology issued some patches to solve this vurnabililty in older DSM versions even till DSM 3.1. For excample:


    Zitat

    DS207+ Release Notes


    Version : 3.1-1639(2014/09/10)


    Fixed IssuesUpgraded OpenSSL to Version 1.0.0n to fix multiple security issues (CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, and CVE-2014-5139).
    Fixed a vulnerability that could allow servers to accept unauthorized access.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!