Synology’s DiskStation Manager (DSM) Unveils Vulnerability in New Admin Takeover

    An intermediate-severity vulnerability has been identified in Synology’s DiskStation Manager (DSM) that could be utilized to decrypt an administrator’s password and remotely hijack the account. This vulnerability, named CVE-2023-2729, holds a severity rating of 5.9 on the CVSS scoring scale. Synology has already addressed this vulnerability by releasing updates in June 2023.

    The flaw stems from the use of a weak random number generator in the software, which relies on the JavaScript Math.random() method to generate the administrator password for the network-attached storage (NAS) device. This method is considered insecure due to predictable values and a lack of entropy, allowing an attacker to crack the encryption and compromise sensitive information and systems.

    Exploiting this vulnerability requires the attacker to first extract a few GUIDs that are also generated using the same method during the setup process. These GUIDs are necessary to reconstruct the seed phrase for the pseudorandom number generator (PRNG). Once the seed phrase is obtained, the attacker can brute-force the Math.Random state to discover the admin password and potentially gain unauthorized access. However, it is important to note that the built-in admin user account is typically disabled by default, limiting the impact of the vulnerability.

    To mitigate such vulnerabilities, it is recommended to avoid using Math.random() for security-related purposes and instead use the Web Crypto API, specifically the window.crypto.getRandomValues() method, which provides cryptographically secure random numbers.

    Latest articles

    Related articles