search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Synology DiskStation Manager VPN module hard-coded password vulnerability

Vulnerability Note VU#534284

Original Release Date: 2014-02-27 | Last Revised: 2014-03-04

Overview

Synology DiskStation Manager VPN module contains a hard-coded password which cannot be changed.

Description

Synology DiskStation Manager 4.3-3810 update 1 and possibly earlier versions contain a VPN server module which contains a hard-coded password which cannot be changed.

According to the original forum post:

The default password for user 'root' is 'synopass' and as far as I know there is no way to change it.

Trying to log in as root through the Web interface or SSH with that password results in authentication failure (you need to use admin's password for SSH - in fact user 'root' here seems to be an alias for user 'admin' for authentication reasons, and there doesn't seem to be a way to log in as root from the Web interface).

However, when enabling the VPN server, root:synopass will get you authenticated and connected! User 'root' does not appear under the users that may get VPN access (VPN server > Privilege) and, again, there doesn't seem to be a way to change the root password or disable that user from connecting to the VPN.

Impact

A remote unauthenticated attacker may be able to connect to the Synology DiskStation Manager using the VPN server and access the Synology device and other devices on the shared network.

Solution

Update


Synology has released Synology DiskStation Manager VPN module version 1.2-2317 to address this vulnerability. Affected users are advised to update to Synology DiskStation Manager VPN module version 1.2-2317 or higher.

Disable OpenVPN module


Users can disable the OpenVPN module inside the Synology DiskStation Manager administrative interface.

Modify the OpenVPN server configuration

According to the original forum post:

One quick and dirty solution is to edit your VPN configuration (should be under /usr/syno/etc/packages/VPNCenter/openvpn/) and substitute the plugin which does the user authentication with something of your own. For instance, since the system has sqlite3 installed, you can write your own bash/perl/python script that maintains an SQLite3 database file with authorized users and their passwords and use that instead. Every time someone will try to connect, OpenVPN will hand off their credentials to your script and expect back 0 for success or 1 for failure. Now you are in true control of the authorized users! Like I said though, it's a hack. You won't get any support from the DSM Web interface.

Reference: "auth-user-pass-verify" in http://openvpn.net/index.php/open-source/documentation/howto.html#examples

Vendor Information

534284
 
Expand all

Synology Affected

Notified:  February 27, 2014 Updated: March 04, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 7.8 AV:N/AC:L/Au:N/C:C/I:N/A:N
Temporal 7 E:F/RL:W/RC:C
Environmental 2.0 CDP:LM/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This vulnerability was originally posted by tesla563, and thanks to Radovan Haban for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: None
Date Public: 2013-12-01
Date First Published: 2014-02-27
Date Last Updated: 2014-03-04 12:39 UTC
Document Revision: 14

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis