"A Flaw in Synology DiskStation Manager Allows Admin Account Takeover"

A Synology DiskStation Manager (DSM) vulnerability could be exploited to decipher an administrator's password. Claroty's Team82 researchers discovered the vulnerability, tracked as CVE-2023-2729, with a CVSS score of 5.9. They found a weak Random Number Generator (RNG) in Synology's DSM Linux-based operating system running on the Network Attached Storage (NAS) products. The problem is the insecure JavaScript Math.random() function used to generate the administrator password for the NAS device. According to the company's advisory, an attacker could leak enough information to restore the Pseudorandom Number Generator (PRNG) seed, reconstruct the administrator password, and remotely hijack the administrator account. This article continues to discuss the potential exploitation and impact of the vulnerability in Synology DSM.

Security Affairs reports "A Flaw in Synology DiskStation Manager Allows Admin Account Takeover"

Submitted by grigby1