Admin Takeover Flaw In Synology DiskStation Manager

A vulnerability has been identified in Synology's DiskStation Manager (DSM), capable of being exploited to uncover an administrator's password and seize control of the account remotely.

According to Sharon Brizinov from Claroty's Team82 in a report on Tuesday, "Under some rare conditions, an attacker could leak enough information to restore the seed of the pseudorandom number generator (PRNG), reconstruct the admin password, and remotely take over the admin account."

This flaw, labeled CVE-2023-2729, holds a severity rating of 7.5 on the CVSS scoring scale and was addressed by Synology through updates released in June 2023.

The root of the issue lies in the software's utilization of a weak random number generator, relying on the JavaScript Math.random() method to construct the admin password for the network-attached storage (NAS) device.

Sharon Brizinov elaborated on the attack, stating, "By leaking the output of a few Math.Random() generated numbers, we were able to reconstruct the seed for the PRNG and use it to brute-force the admin password. Finally, we were able to use the password to log in to the admin account (after enabling it)."

However, the success of the attack relies on the attacker extracting a few GUIDs during the setup process, generated using the same method. In a real-life scenario, the attacker would first need to leak the GUIDs, brute force the Math.Random state, and gain access to the admin password. Even then, the default setting disables the built-in admin user account, and most users won't enable it.