Article Details
Scrape Timestamp (UTC): 2023-10-18 06:50:18.508
Source: https://thehackernews.com/2023/10/new-admin-takeover-vulnerability.html
Original Article Text
Click to Toggle View
New Admin Takeover Vulnerability Exposed in Synology's DiskStation Manager. A medium-severity flaw has been discovered in Synology's DiskStation Manager (DSM) that could be exploited to decipher an administrator's password and remotely hijack the account. "Under some rare conditions, an attacker could leak enough information to restore the seed of the pseudorandom number generator (PRNG), reconstruct the admin password, and remotely take over the admin account," Claroty's Sharon Brizinov said in a Tuesday report. The flaw, assigned the identifier CVE-2023-2729, is rated 5.9 for severity on the CVSS scoring scale. The flaw was addressed by Synology as part of updates released in June 2023. The problem is rooted in the fact that the software uses a weak random number generator that relies on the JavaScript Math.random() method to programmatically construct the admin password for the network-attached storage (NAS) device. Referred to as insecure randomness, it arises when a function that can produce predictable values, or doesn't have enough entropy, is used as a source of randomness in a security context, enabling an attacker to crack the encryption and defeat the integrity of sensitive information and systems. Successful exploitation of such flaws, therefore, could allow the threat actor to predict the generated password and gain access to otherwise restricted functionality. "By leaking the output of a few Math.Random() generated numbers, we were able to reconstruct the seed for the PRNG and use it to brute-force the admin password," Brizinov explained. "Finally we were able to use the password to login to the admin account (after enabling it)." The attack, however, hinges on an attacker successfully extracting a few GUIDs that are also generated using the same method during the setup process to be able to reconstruct the seed phrase for the pseudorandom number generator (PRNG). "In a real life scenario the attacker will first need to leak the aforementioned GUIDs, brute force the Math.Random state, and gain the admin password," Brizinov said. "Even after doing so, by default the builtin admin user account is disabled and most users won't enable it." "Again, it's important to remember that Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security. Use the Web Crypto API instead, and more precisely the window.crypto.getRandomValues() method."
Daily Brief Summary
A flaw has been discovered in Synology's DiskStation Manager (DSM) that could potentially enable an attacker to decipher an administrator's password and remotely take over the account.
The vulnerability, tagged as CVE-2023-2729 and rated 5.9 for severity on the CVSS scoring scale, is due to the use of a weak random number generator for creating the admin password for the network-attached storage (NAS) device.
The PRNG, JavaScript Math.random() method used by the software, if manipulated can result in predictable values, reducing the encryption strength and compromising sensitive information and systems.
True exploitation of this vulnerability, however, would allow an attacker to predict the generated password and gain access to otherwise restricted functions but would first require leaking the GUIDs and brute-forcing the Math.Random state to crack the admin password.
While Synology has addressed this flaw as part of the updates released in June 2023, the danger persists under rare conditions, requiring users to stay alert and conscious.
Sharon Brizinov from Claroty, the researcher highlighting this vulnerability, recommended using more secure cryptographic random number algorithms like window.crypto.getRandomValues() method instead of Math.random() for security purposes.