search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Synology DiskStation Manager VPN module hard-coded password vulnerability

Vulnerability Note VU#534284

Original Release Date: 2014-02-27 | Last Revised: 2014-03-04

Overview

Synology DiskStation Manager VPN module contains a hard-coded password which cannot be changed.

Description

Synology DiskStation Manager 4.3-3810 update 1 and possibly earlier versions contain a VPN server module which contains a hard-coded password which cannot be changed.

According to the original forum post:

The default password for user 'root' is 'synopass' and as far as I know there is no way to change it.

Trying to log in as root through the Web interface or SSH with that password results in authentication failure (you need to use admin's password for SSH - in fact user 'root' here seems to be an alias for user 'admin' for authentication reasons, and there doesn't seem to be a way to log in as root from the Web interface).

However, when enabling the VPN server, root:synopass will get you authenticated and connected! User 'root' does not appear under the users that may get VPN access (VPN server > Privilege) and, again, there doesn't seem to be a way to change the root password or disable that user from connecting to the VPN.

Impact

A remote unauthenticated attacker may be able to connect to the Synology DiskStation Manager using the VPN server and access the Synology device and other devices on the shared network.

Solution

Update


Synology has released Synology DiskStation Manager VPN module version 1.2-2317 to address this vulnerability. Affected users are advised to update to Synology DiskStation Manager VPN module version 1.2-2317 or higher.

Disable OpenVPN module


Users can disable the OpenVPN module inside the Synology DiskStation Manager administrative interface.

Modify the OpenVPN server configuration

According to the original forum post:

One quick and dirty solution is to edit your VPN configuration (should be under /usr/syno/etc/packages/VPNCenter/openvpn/) and substitute the plugin which does the user authentication with something of your own. For instance, since the system has sqlite3 installed, you can write your own bash/perl/python script that maintains an SQLite3 database file with authorized users and their passwords and use that instead. Every time someone will try to connect, OpenVPN will hand off their credentials to your script and expect back 0 for success or 1 for failure. Now you are in true control of the authorized users! Like I said though, it's a hack. You won't get any support from the DSM Web interface.

Reference: "auth-user-pass-verify" in
http://openvpn.net/index.php/open-source/documentation/howto.html#examples

Vendor Information

534284
Expand all

Synology

Notified:  February 27, 2014 Updated:  March 04, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.synology.com/en-global/releaseNote/package/VPNCenter

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 7.8 AV:N/AC:L/Au:N/C:C/I:N/A:N
Temporal 7.0 E:F/RL:W/RC:C
Environmental 2 CDP:LM/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

This vulnerability was originally posted by tesla563, and thanks to Radovan Haban for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: None
Date Public: 2013-12-01
Date First Published: 2014-02-27
Date Last Updated: 2014-03-04 12:39 UTC
Document Revision: 13

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.