A medium-severity flaw has been discovered in Synology’s DiskStation Manager (DSM) that could be exploited to decipher an administrator’s password and remotely hijack the account.
“Under some rare conditions, an attacker could leak enough information to restore the seed of the pseudorandom number generator (PRNG), reconstruct the admin password, and remotely take over the admin account,” Claroty’s Sharon Brizinov said in a Tuesday report.
The flaw, assigned the identifier CVE-2023-2729, is rated 5.9 for severity on the CVSS scoring scale. The flaw was addressed by Synology as part of updates released in June 2023.
Referred to as insecure randomness, it arises when a function that can produce predictable values, or doesn’t have enough entropy, is used as a source of randomness in a security context, enabling an attacker to crack the encryption and defeat the integrity of sensitive information and systems.
Successful exploitation of such flaws, therefore, could allow the threat actor to predict the generated password and gain access to otherwise restricted functionality.
“By leaking the output of a few Math.Random() generated numbers, we were able to reconstruct the seed for the PRNG and use it to brute-force the admin password,” Brizinov explained. “Finally we were able to use the password to login to the admin account (after enabling it).”
The attack, however, hinges on an attacker successfully extracting a few GUIDs that are also generated using the same method during the setup process to be able to reconstruct the seed phrase for the pseudorandom number generator (PRNG).
“In a real life scenario the attacker will first need to leak the aforementioned GUIDs, brute force the Math.Random state, and gain the admin password,” Brizinov said. “Even after doing so, by default the builtin admin user account is disabled and most users won’t enable it.”
“Again, it’s important to remember that Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security. Use the Web Crypto API instead, and more precisely the window.crypto.getRandomValues() method.”