Wednesday, November 6, 2024
HomeCyber Security NewsSynology NAS System Flaw Let Attackers Remotely Hijack the Admin Account

Synology NAS System Flaw Let Attackers Remotely Hijack the Admin Account

Published on

Malware protection

Synology DiskStation Manager (DSM) powers Synology NAS systems, offering remote file access and management. The DSM OS includes two default Linux users: ‘admin’ and ‘guest’ (usually disabled).

A Synology NAS system flaw allowed attackers to hijack the admin account due to a security vulnerability remotely. 

Exploiting this flaw, malicious actors could gain unauthorized access to the admin account, potentially leading to complete control of the NAS system and access to stored data, highlighting the importance of promptly applying software updates to mitigate such risks.

- Advertisement - SIEM as a Service
Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

A note from the Math.random documentation
A note from the Math.random documentation ( Source – CLAROTY)

Synology NAS System Flaw

Researchers discovered a vulnerability in the admin password generation algorithm, leveraging a weakness in JavaScript Math.Random() function on the browser client side. 

Set Up Window
Set Up Window ( Source – CLAROTY)

By exposing a few Math.Random() generated values, the seed for the PRNG was reconstructed, enabling brute-force attacks to obtain and utilize the admin password. Leaking specific Math.Random values, such as GUIDs generated during the initial setup, allowed attackers to exploit this weakness.

For instance, these class-name GUIDs are produced during the initial installation using the same Math. Random seed as the admin password in the same ‘session’:

  • SYNO.SDS.PkgManApp.Instance
  • SYNO.SDS.AdminCenter.Application
  • SYNO.SDS.App.FileStation3.Instance
  • SYNO.SDS.HelpBrowser.Application

Synology DSM Admin Password Key Issue

“The vulnerability stems from the insecure Math.Random() PRNG is used in the algorithm, where knowledge of its seed allows predicting past and future numbers. The experts have exploited this in modern browsers that rely on the deterministic XorShift128 algorithm with a Python script using Z3 for symbolic execution. 

Our PoC adapted to browser-specific XorShift128 variations, particularly in state calculation, double conversion, and value management, benefiting from prior research and V8 dev blog insights.”

Get Started With Your Synology NAS Windows
Get Started With Your Synology NAS Windows (Source – CLAROTY)

The problem lies in using Math.Random() for cryptography, as its insecure PRNG can be exploited to predict numbers. Modern browsers use XorShift128, which we cracked using Z3, exposing past and future values.

Researchers have discovered this vulnerability during Pwn2Own, a fascinating moment but impractical for real-world exploitation. Nevertheless, it emphasizes the need for secure random number generation. Avoid Math.random() for security; opt for the Web Crypto API, specifically window.crypto.getRandomValues().

Researchers have reported CVE-2023-2729 to Synology, leading to a fix for affected devices. DSM 7.2 users should upgrade to version 7.2-64561 or higher.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could...

Google Patches High-Severity Vulnerabilities in Chrome

Google has released a new update for its Chrome browser, addressing two high-severity vulnerabilities....

ClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

A new tactic, "ClickFix," has emerged. It exploits fake Google Meet and Zoom pages...

APT36 Hackers Attacking Windows Deevices With ElizaRAT

APT36, a sophisticated threat actor, has been actively targeting Indian entities with advanced malware...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could...

Google Patches High-Severity Vulnerabilities in Chrome

Google has released a new update for its Chrome browser, addressing two high-severity vulnerabilities....

ClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

A new tactic, "ClickFix," has emerged. It exploits fake Google Meet and Zoom pages...