Vulnerability Note VU#534284
Synology DiskStation Manager VPN module hard-coded password vulnerability
Synology DiskStation Manager VPN module contains a hard-coded password which cannot be changed.
Synology DiskStation Manager 4.3-3810 update 1 and possibly earlier versions contain a VPN server module which contains a hard-coded password which cannot be changed.
According to the original forum post:
A remote unauthenticated attacker may be able to connect to the Synology DiskStation Manager using the VPN server and access the Synology device and other devices on the shared network.
Disable OpenVPN module
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Synology||Affected||27 Feb 2014||04 Mar 2014|
CVSS Metrics (Learn More)
This vulnerability was originally posted by tesla563, and thanks to Radovan Haban for reporting this vulnerability.
This document was written by Michael Orlando.
- CVE IDs: Unknown
- Date Public: 01 Dec 2013
- Date First Published: 27 Feb 2014
- Date Last Updated: 04 Mar 2014
- Document Revision: 13
If you have feedback, comments, or additional information about this vulnerability, please send us email.