A significant security vulnerability has been identified in Synology DiskStation Manager (DSM) by researchers from Claroty’s Team82. Tracked as CVE-2023-2729 and assigned a CVSS score of 5.9, this flaw is rooted in the use of a weak random number generator within Synology’s DSM, a Linux-based operating system utilized in network-attached storage (NAS) products. The vulnerability centers around the insecure JavaScript Math.random() function used for generating administrator passwords for NAS devices.
The vulnerability’s impact is quite severe, as under specific circumstances, an attacker could extract enough information to reconstruct the seed of the pseudorandom number generator (PRNG). With this knowledge, they could then brute-force the administrator’s password and potentially take over the admin account remotely. This revelation is particularly concerning as it underscores the importance of not relying on Math.random() for generating secure random numbers.
To mitigate the issue, Synology took prompt action by releasing updates in June 2023. In a real-life scenario, potential threat actors would first need to obtain Math.Random values, potentially by leaking GUIDs generated during the installation process. They could then carry out a brute-force attack on the Math.Random state to retrieve the admin password.
It’s crucial to note that even after gaining access, the built-in admin user account is often disabled by default, reducing the immediate risk to most users. The researchers have advised users to upgrade to DSM 7.2-64561 or a higher version to ensure they are protected from this vulnerability.
