Synology DiskStation Manager VPN module contains a hard-coded password which cannot be changed.
Synology DiskStation Manager 4.3-3810 update 1 and possibly earlier versions contain a VPN server module which contains a hard-coded password which cannot be changed.
According to the original forum post:
A remote unauthenticated attacker may be able to connect to the Synology DiskStation Manager using the VPN server and access the Synology device and other devices on the shared network.
Disable OpenVPN module
This vulnerability was originally posted by tesla563, and thanks to Radovan Haban for reporting this vulnerability.
This document was written by Michael Orlando.
|Date First Published:||2014-02-27|
|Date Last Updated:||2014-03-04 12:39 UTC|