After the major exodus from Drobo that photographers took years ago, many went to Synology. And if you’re one of the photographers who have their products, you should know that the company recently issued a security alert. In an email to users this week, Synology told photographers about their findings at this year’s Pwn2Own Ireland 2024 event — which took place in late October 2024. From the event, they discovered what they’re calling “multiple security vulnerabilities.” More importantly, they’re indirectly implying that the latest updates will address these concerns. This is specifically where the update is a bit more curious.
In a recent email communication to users, Synology said the following:
q
Synology proactively sponsors and works with security researchers as part of product security initiatives. At this year’s Pwn2Own Ireland 2024 event, which took place in late October, we successfully discovered and resolved multiple security vulnerabilities.
While these vulnerabilities are not being exploited, we recommend all Synology device administrators immediately take action to secure their systems by updating due to the scope and severity of specific issues.
For detailed information, please refer to the security advisories below.
| Security Advisory | Affected Products |
| Synology-SA-24:20 DSM | DSM 7.2.2, DSM 7.2.1, DSM 7.1, DSMUC 3.1 |
| Synology-SA-24:21 Synology Drive Server | Synology Drive Server for DSM 7.1 Synology Drive Server for DSM 7.2.1 Synology Drive Server for DSM 7.2.2 |
| Synology-SA-24:19 Synology Photos | Synology Photos for DSM 7.1 Synology Photos 1.6 for DSM 7.2 Synology Photos 1.7 for DSM 7.2 |
| Synology-SA-24:22 Replication Service | Replication Service for DSM 7.1 Replication Service for DSM 7.2 DSMUC 3.1 |
| Synology-SA-24:23 BeeStation | BeeStation OS 1.0 BeeStation OS 1.1 |
| Synology-SA-24:18 BeePhotos | BeePhotos for BeeStation OS 1.0 BeePhotos for BeeStation OS 1.1 |
Synology’s communication doesn’t directly state that it will prevent these issues from happening even when updating the system. That could possibly be due to legal jargon; but it’s incredibly indirect communication. Specifically for Synology Photos, the company states that the vulnerability has been resolved. They say the same for BeePhotos and for the other drive servers.
In both cases, the company uses similar language on its websites. “A vulnerability allows remote attackers to execute arbitrary code,” states Synology on its sites. The vulnerability reported by PWN2OWN 2024 (ZDI-CAN-25623) has been addressed.” While this communication still doesn’t guarantee that it will fully secure your products, it’s probably still a good idea to update them when you get a moment.
The different communications are quite fascinating. While their website’s use of the word “Resolved” implies that the problem won’t happen, the email communication doesn’t quite go as far.
Of course, there are also other ways to ensure that your servers can’t be accessed, such as using strong passwords that aren’t remembered by your machine, locking down what devices can access your web server, etc. In most cases, we’d assume that photographers who work alone are perhaps the safest if they don’t give anyone else access to their Synology server.
Still, we’re sure that the update will be worthwhile. It’s far more welcome than the incredible lack of updates that Drobo has provided to customers over the years.
Several years ago, the Phoblographer used to do more testing involving hard drives and storage space. However, we stopped as most of the products these days all do a very good job. Additionally, all companies seem to be using the same suppliers — and they have been since the pandemic. What’s different is their software. Still though, there are better places to look for these tests.