An interesting external penetration test was recently performed by our expert team, that resulted in discovery of a new vulnerability (CVE-2017-9553) in a popular Synology NAS device.

A NAS (Network Attached Storage) device is a storage mechanism connected to a network that allows storage and retrieval of data from a centralized location for authorized network users and a variety of clients.

During the test engagement, the tester discovered an externally facing NAS device. This device presents an increased attack surface, so our team also had a closer look at the target to determine any potential vulnerabilities.

Initial reconnaissance of the target revealed an interesting title of ‘Synology 12TB’ which suggested a large volume of data was being stored. Password guessing attempts were unsuccessful and we proceeded with the analysis of the authentication mechanism.

The team discovered the below vulnerability which allowed us to bypass the encryption mechanism for the authentication phase in the popular Synology NAS drive.  Please note, that we have not managed to bypass authentication by using this vulnerability.

We would like to reassure our clients that this relates to the failover of the encryption mechanism which allows for a plaintext password submission by the browser only. Please see the attached report on the vulnerability.

Description:

When logging onto the Synology NAS DS413, the client’s browser makes an API call (SYNO.API.Encryption) to /webapi/encryption.cgi, which in response provides a PKI based encryption for authentication. (Server returns a public key for a user’s browser to encrypt credentials before transmission.)

 

 

 

The client browser is performing encryption as shown below.

 

 

 

 

However, if the first POST request with the API call is intercepted, and ‘version’ parameter modified, the server will return an error.  This results in a fallback functionality from the client to simply send the credentials unencrypted without prompting the user:

 

We immediately informed Synology Inc, who are currently working on a patch.
Discovered by Alexander Drabek, 

CVE number: CVE-2017-9553
Discovery and vendor informed on 1st June 2017
Vendor acknowledgment 2nd June 2017
Permission to publish: 7th June 2017

We are pleased to be able to contribute to the security community by providing high quality tests. These allow our client to become aware of the emerging risks as well as allowing the provider to resolve any problems and mitigate any risks for future customers.

Synology released a patch, DSM version 6.1.3-15152, for more information please visit:

https://www.synology.com/en-global/support/security/Synology_SA_17_29_DSM