Vulnerability Note VU#534284

Synology DiskStation Manager VPN module hard-coded password vulnerability

Original Release date: 27 Feb 2014 | Last revised: 04 Mar 2014

Overview

Synology DiskStation Manager VPN module contains a hard-coded password which cannot be changed.

Description

Synology DiskStation Manager 4.3-3810 update 1 and possibly earlier versions contain a VPN server module which contains a hard-coded password which cannot be changed.

According to the original forum post:

The default password for user 'root' is 'synopass' and as far as I know there is no way to change it.

Trying to log in as root through the Web interface or SSH with that password results in authentication failure (you need to use admin's password for SSH - in fact user 'root' here seems to be an alias for user 'admin' for authentication reasons, and there doesn't seem to be a way to log in as root from the Web interface).

However, when enabling the VPN server, root:synopass will get you authenticated and connected! User 'root' does not appear under the users that may get VPN access (VPN server > Privilege) and, again, there doesn't seem to be a way to change the root password or disable that user from connecting to the VPN.

Impact

A remote unauthenticated attacker may be able to connect to the Synology DiskStation Manager using the VPN server and access the Synology device and other devices on the shared network.

Solution

Update


Synology has released Synology DiskStation Manager VPN module version 1.2-2317 to address this vulnerability. Affected users are advised to update to Synology DiskStation Manager VPN module version 1.2-2317 or higher.

Disable OpenVPN module


Users can disable the OpenVPN module inside the Synology DiskStation Manager administrative interface.

Modify the OpenVPN server configuration

According to the original forum post:

One quick and dirty solution is to edit your VPN configuration (should be under /usr/syno/etc/packages/VPNCenter/openvpn/) and substitute the plugin which does the user authentication with something of your own. For instance, since the system has sqlite3 installed, you can write your own bash/perl/python script that maintains an SQLite3 database file with authorized users and their passwords and use that instead. Every time someone will try to connect, OpenVPN will hand off their credentials to your script and expect back 0 for success or 1 for failure. Now you are in true control of the authorized users! Like I said though, it's a hack. You won't get any support from the DSM Web interface.

Reference: "auth-user-pass-verify" in
http://openvpn.net/index.php/open-source/documentation/howto.html#examples

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
SynologyAffected27 Feb 201404 Mar 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 7.8 AV:N/AC:L/Au:N/C:C/I:N/A:N
Temporal 7.0 E:F/RL:W/RC:C
Environmental 2.0 CDP:LM/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

This vulnerability was originally posted by tesla563, and thanks to Radovan Haban for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: Unknown
  • Date Public: 01 Dec 2013
  • Date First Published: 27 Feb 2014
  • Date Last Updated: 04 Mar 2014
  • Document Revision: 13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.