reply on: Posting Self Hosted Audio Files On Nostr? \ stacker news ~nostr

pull down to refresh

55 sats \ 4 replies \ @ZezzebbulTheMysterious 2 Jan \ parent \ on: Posting Self Hosted Audio Files On Nostr? nostr

I really really strongly recommend NOT sharing files from your NAS to the internet.

If you do, the NAS MUST be kept up to date. If it is end of life, throw it in the trash. It is super unsafe to use an end of life NAS. You will be ransomwared. This has happened many times over the years with Synology NAS's.

It is best to not expose any NAS service to the internet. NAS software is typically utter trash.

Case in point: (remote code execution vuln):

Publish Time: 2024-11-05 15:15:05 UTC+8 Last Updated: 2024-12-05 17:54:12 UTC+8

https://www.synology.com/en-global/security/advisory/Synology_SA_24_20

DSM 7.2.2 Critical Upgrade to 7.2.2-72806-1 or above. DSM 7.2.1 Critical Upgrade to 7.2.1-69057-6 or above. DSM 7.1 Critical Upgrade to 7.1.1-42962-7 or above. DSM 6.2 Critical Upgrade to 6.2.4-25556-8 or above. DSMUC 3.1 Critical Upgrade to 3.1.4-23079 or above.

0 sats \ 3 replies \ @DarthCoin 3 Jan

Like ANY other software OS... if we scared about a CVE than we should not use at all ANY software and just use type-witters and pigeons.

119 sats \ 2 replies \ @ZezzebbulTheMysterious 3 Jan

No, this is too reductionist. All software is not equivalent. You can mitigate risk by controlling exposure.

Yes, all software has vulnerabilities. Some software is worse than others. A vuln in your local printer driver is unlikely to lead to remote code execution. A vuln in the web interface you are exposing to the internet from your 10 year old NAS has a high probability of being exploited.

I am suggesting to not expose software with a track record of remote code execution vulnerabilities to the internet.

0 sats \ 1 reply \ @DarthCoin 3 Jan

A 10 years old hardware it doesn't means is running also a 10 years old software. Your assumption is wrong and misleading.

182 sats \ 0 replies \ @ZezzebbulTheMysterious 3 Jan

I'm not saying YOU are wrong -- I am saying that it is a risky action to expose a NAS to the internet, especially given Synologies track record and the last RCE vuln was only last month...

True about patching! However, in general Synology only supports their hardware for the warranty period (4 or 5 years). So there is a betting chance that a 10 year+ old NAS might unsupported and vulnerable. They have no clear policy here. Sometimes are patches for 5y, some are 9y.

In this particular case, It looks like Synology back-ported the fixes to DSM 6.2 (must have been a very bad vuln, as these end of life). Yes, occasionally for really bad vulns, end of life things are patched. Absolutely no guarantees tho.

DSM 6.0 is end of life 2024. DSM 7.2+ needs a 2015+ model