October 18, 2023 at 03:33AM
A medium-severity flaw has been discovered in Synology’s DiskStation Manager (DSM) that could allow an attacker to remotely hijack an administrator’s account by deciphering their password. The flaw stems from the use of a weak random number generator. Synology has already addressed the issue in updates released in June 2023.
Key Takeaways from Meeting Notes:
– There is a medium-severity flaw in Synology’s DiskStation Manager (DSM) that allows for an attacker to decipher an administrator’s password and remotely hijack the account.
– The flaw is assigned the identifier CVE-2023-2729 and is rated 5.9 in severity on the CVSS scoring scale.
– Synology addressed the flaw with updates released in June 2023.
– The flaw is rooted in the use of a weak random number generator, specifically the JavaScript Math.random() method, to programmatically construct the admin password for the NAS device.
– This vulnerability is known as insecure randomness, which occurs when a function lacking entropy is used as a source of randomness in a security context.
– Successful exploitation of the flaw allows an attacker to predict the generated password and gain access to restricted functionality.
– However, the attack requires the attacker to extract a few GUIDs generated during the setup process to reconstruct the seed phrase for the pseudorandom number generator (PRNG).
– It’s worth noting that the default admin user account is disabled, so even if an attacker gains access, they would need to enable it. Most users do not enable the default admin account.
– It is important to avoid using Math.random() for security-related purposes and instead use the Web Crypto API, specifically the window.crypto.getRandomValues() method.