Sunday, June 16, 2024

Synology NAS System Flaw Let Attackers Remotely Hijack the Admin Account

Synology DiskStation Manager (DSM) powers Synology NAS systems, offering remote file access and management. The DSM OS includes two default Linux users: ‘admin’ and ‘guest’ (usually disabled).

A Synology NAS system flaw allowed attackers to hijack the admin account due to a security vulnerability remotely. 

Exploiting this flaw, malicious actors could gain unauthorized access to the admin account, potentially leading to complete control of the NAS system and access to stored data, highlighting the importance of promptly applying software updates to mitigate such risks.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

A note from the Math.random documentation
A note from the Math.random documentation ( Source – CLAROTY)

Synology NAS System Flaw

Researchers discovered a vulnerability in the admin password generation algorithm, leveraging a weakness in JavaScript Math.Random() function on the browser client side. 

Set Up Window
Set Up Window ( Source – CLAROTY)

By exposing a few Math.Random() generated values, the seed for the PRNG was reconstructed, enabling brute-force attacks to obtain and utilize the admin password. Leaking specific Math.Random values, such as GUIDs generated during the initial setup, allowed attackers to exploit this weakness.

For instance, these class-name GUIDs are produced during the initial installation using the same Math. Random seed as the admin password in the same ‘session’:

  • SYNO.SDS.PkgManApp.Instance
  • SYNO.SDS.AdminCenter.Application
  • SYNO.SDS.App.FileStation3.Instance
  • SYNO.SDS.HelpBrowser.Application

Synology DSM Admin Password Key Issue

“The vulnerability stems from the insecure Math.Random() PRNG is used in the algorithm, where knowledge of its seed allows predicting past and future numbers. The experts have exploited this in modern browsers that rely on the deterministic XorShift128 algorithm with a Python script using Z3 for symbolic execution. 

Our PoC adapted to browser-specific XorShift128 variations, particularly in state calculation, double conversion, and value management, benefiting from prior research and V8 dev blog insights.”

Get Started With Your Synology NAS Windows
Get Started With Your Synology NAS Windows (Source – CLAROTY)

The problem lies in using Math.Random() for cryptography, as its insecure PRNG can be exploited to predict numbers. Modern browsers use XorShift128, which we cracked using Z3, exposing past and future values.

Researchers have discovered this vulnerability during Pwn2Own, a fascinating moment but impractical for real-world exploitation. Nevertheless, it emphasizes the need for secure random number generation. Avoid Math.random() for security; opt for the Web Crypto API, specifically window.crypto.getRandomValues().

Researchers have reported CVE-2023-2729 to Synology, leading to a fix for affected devices. DSM 7.2 users should upgrade to version 7.2-64561 or higher.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Website

Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles