Synology DiskStation Manager (DSM) powers Synology NAS systems, offering remote file access and management. The DSM OS includes two default Linux users: ‘admin’ and ‘guest’ (usually disabled).

A Synology NAS system flaw allowed attackers to hijack the admin account due to a security vulnerability remotely. 

Exploiting this flaw, malicious actors could gain unauthorized access to the admin account, potentially leading to complete control of the NAS system and access to stored data, highlighting the importance of promptly applying software updates to mitigate such risks.

Synology NAS System Flaw

Researchers discovered a vulnerability in the admin password generation algorithm, leveraging a weakness in JavaScript Math.Random() function on the browser client side. 

By exposing a few Math.Random() generated values, the seed for the PRNG was reconstructed, enabling brute-force attacks to obtain and utilize the admin password. Leaking specific Math.Random values, such as GUIDs generated during the initial setup, allowed attackers to exploit this weakness.

For instance, these class-name GUIDs are produced during the initial installation using the same Math. Random seed as the admin password in the same ‘session’:

• SYNO.SDS.PkgManApp.Instance
• SYNO.SDS.AdminCenter.Application
• SYNO.SDS.App.FileStation3.Instance
• SYNO.SDS.HelpBrowser.Application

Synology DSM Admin Password Key Issue

“The vulnerability stems from the insecure Math.Random() PRNG is used in the algorithm, where knowledge of its seed allows predicting past and future numbers. The experts have exploited this in modern browsers that rely on the deterministic XorShift128 algorithm with a Python script using Z3 for symbolic execution. 

Our PoC adapted to browser-specific XorShift128 variations, particularly in state calculation, double conversion, and value management, benefiting from prior research and V8 dev blog insights.”

The problem lies in using Math.Random() for cryptography, as its insecure PRNG can be exploited to predict numbers. Modern browsers use XorShift128, which we cracked using Z3, exposing past and future values.

Researchers have discovered this vulnerability during Pwn2Own, a fascinating moment but impractical for real-world exploitation. Nevertheless, it emphasizes the need for secure random number generation. Avoid Math.random() for security; opt for the Web Crypto API, specifically window.crypto.getRandomValues().

Researchers have reported CVE-2023-2729 to Synology, leading to a fix for affected devices. DSM 7.2 users should upgrade to version 7.2-64561 or higher.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.