You do not that often encounter a vulnerability that makes you think about the balance between simplicity and security. Indeed, Team82 researchers discovered an interesting bug at Synology, which proves that sometimes a simple solution can create a complex problem.
Synology is a popular name in the world of network storage systems (NAS). DiskStation Manager (DSM) ‘s operating system is designed to help you manage and share your files easily and centrally. Unfortunately, they used an overly simplistic approach to generating the NAS administrator password when creating it. And this opened up an avenue for attackers to exploit.
This vulnerability, referenced as CVE-2023-2729, comes from using the method Math.random() to generate the administrator password. This method is not cryptographically secure, and an attacker could recover enough information to reconstruct the admin password.
However, rest assured, quite a few conditions must be met for this to actually happen. But you never know ^^.
So, how does it actually work?
Well, the research team discovered that by leaking the output of some values generated by Math.random(), it was possible to reconstruct the seed value used for the pseudo-random number generator (PRNG). By knowing this seed, an attacker could predict future values and generate the administrator password, allowing them to take control of the admin account.
Of course, it’s not that simple: to execute the attack, you first need to find a way to retrieve certain values from Math.random(). But the researchers discovered that some GUIDs generated during the first installation also used Math.random(), and that these GUIDs could be used to reconstruct the PRNG seed.
However, even if an attacker succeeded in recovering this information, that alone would not be enough. By default, the built-in administrator account is disabled, and most users would not enable it (And they’re right!).
This vulnerability was discovered while preparing for the Pwn2Own competition, and people who worked on it agree that this flaw would be almost impossible to exploit in a real-world situation. However, they still decided to share their discovery to highlight the importance of using cryptographically secure random number generators when creating passwords.
In short, if you are a developer, don’t use Math.random() to generate random numbers regarding security. Instead, it is recommended to use the Web Crypto API and, more specifically, the window.crypto.getRandomValues().
Synology was obviously informed of the vulnerability, and they quickly released a patch for affected devices. Therefore, DSM 7.2 users are advised to upgrade their system to version 7.2-64561 or later.