[security] [critical] default root:synopass gets VPN access

Discussion room for Synology VPN package in DSM 3.1-1725 or above.
Forum rules
We've moved! Head over to Synology Community (community.synology.com) to meet up with our team and other Synology enthusiasts!
tesla563
I'm New!
I'm New!
Posts: 4
Joined: Sat Nov 30, 2013 11:06 pm

[security] [critical] default root:synopass gets VPN access

Unread post by tesla563 » Sun Dec 01, 2013 2:25 am

The default password for user 'root' is 'synopass' and as far as I know there is no way to change it.

Trying to log in as root through the Web interface or SSH with that password results in authentication failure (you need to use admin's password for SSH - in fact user 'root' here seems to be an alias for user 'admin' for authentication reasons, and there doesn't seem to be a way to log in as root from the Web interface).

However, when enabling the VPN server, root:synopass will get you authenticated and connected! User 'root' does not appear under the users that may get VPN access (VPN server > Privilege) and, again, there doesn't seem to be a way to change the root password or disable that user from connecting to the VPN.

Can someone verify this? And can we get a fix asap please?

I'm using the latest version of "DSM 4.3-3810 update 1" and the VPN server application.


EDIT: One quick and dirty solution is to edit your VPN configuration (should be under /usr/syno/etc/packages/VPNCenter/openvpn/) and substitute the plugin which does the user authentication with something of your own. For instance, since the system has sqlite3 installed, you can write your own bash/perl/python script that maintains an SQLite3 database file with authorized users and their passwords and use that instead. Every time someone will try to connect, OpenVPN will hand off their credentials to your script and expect back 0 for success or 1 for failure. Now you are in true control of the authorized users! Like I said though, it's a hack. You won't get any support from the DSM Web interface.

Reference: "auth-user-pass-verify" in http://openvpn.net/index.php/open-sourc ... l#examples

tesla563
I'm New!
I'm New!
Posts: 4
Joined: Sat Nov 30, 2013 11:06 pm

Re: [security] [critical] default root:synopass gets VPN acc

Unread post by tesla563 » Fri Dec 13, 2013 2:56 pm

It seems nobody cares or it's not an actual problem.

So I guess it'll be OK if I mention it in a couple more places around the Internet :)

kumpa
Trainee
Trainee
Posts: 15
Joined: Wed Jul 27, 2011 7:22 am

Re: [security] [critical] default root:synopass gets VPN acc

Unread post by kumpa » Fri Dec 13, 2013 4:50 pm

This is serious!!!

Simplier solution for me was to edit /usr/syno/etc/packages/VPNCenter/privilege and add
root=0

EDIT: and of course restart the package

absolutg
I'm New!
I'm New!
Posts: 1
Joined: Tue Dec 24, 2013 5:57 am

Re: [security] [critical] default root:synopass gets VPN acc

Unread post by absolutg » Tue Dec 24, 2013 5:59 am

I can confirm this issue exists on the latest build. Very troubling that such a security vulnerability would ship...

dombera
Beginner
Beginner
Posts: 25
Joined: Tue Sep 18, 2012 8:03 pm

Re: [security] [critical] default root:synopass gets VPN acc

Unread post by dombera » Mon Dec 30, 2013 12:16 pm

It is a big deal actually, Synology needs to get this sorted..

For now I'll use workaround posted by @kumpa.

Thanks all,

dapr0digy
Experienced
Experienced
Posts: 143
Joined: Sun Jun 09, 2013 4:54 pm

Re: [security] [critical] default root:synopass gets VPN acc

Unread post by dapr0digy » Mon Dec 30, 2013 1:59 pm

+1 .. pls fix this asap. im wondering if other services have this loophole as well.

SeanB
I'm New!
I'm New!
Posts: 3
Joined: Mon Jan 06, 2014 4:22 am

Re: [security] [critical] default root:synopass gets VPN acc

Unread post by SeanB » Mon Jan 06, 2014 5:23 am

Wierd. I'm running a PPTP VPN from my ipad to my NAS over the internet and get auth failure using root:synopass (but it and the VPN from my PC both work fine using other creds).

I'm running DSM 4.2-3211 on a DS213+. I'll upgrade to 3810 and see what happens.

================

Updated my DSM to 3810 and then 3810 update 3 and tested both. I couldn't replicate under either environment either from my iPad nor PC....hmm

kumpa
Trainee
Trainee
Posts: 15
Joined: Wed Jul 27, 2011 7:22 am

Re: [security] [critical] default root:synopass gets VPN acc

Unread post by kumpa » Tue Jan 28, 2014 1:12 pm

I've just tested on my DS211+. DSM 4.3-3810 Update 4, VPN 1.2-2313. And the bug is still here!!! :evil:

Aquajui
I'm New!
I'm New!
Posts: 9
Joined: Tue Jan 14, 2014 4:04 pm

Re: [security] [critical] default root:synopass gets VPN acc

Unread post by Aquajui » Fri Feb 21, 2014 9:04 am

Is bug in 4.3-3827 ?

User avatar
jg3
Beginner
Beginner
Posts: 22
Joined: Wed Jul 17, 2013 7:49 am

Re: [security] [critical] default root:synopass gets VPN acc

Unread post by jg3 » Sun Feb 23, 2014 6:34 am

I can't replicate the problem with VPN Server 1.2-2313 over L2TP/IPSec on DSM 4.3-3827.

User avatar
akahan
Navigator
Navigator
Posts: 995
Joined: Sat Jul 14, 2012 6:52 pm

Re: [security] [critical] default root:synopass gets VPN acc

Unread post by akahan » Sun Feb 23, 2014 6:58 am

I just replicated it with VPN Server 1.2-2313 over OpenVPN on DSM 4.3-3827.
DS214play, DS216play, DS216, DS212J, DS414, DS816, rt2600ac

habanr
Experienced
Experienced
Posts: 138
Joined: Mon Feb 04, 2013 3:04 pm

Re: [security] [critical] default root:synopass gets VPN acc

Unread post by habanr » Sun Feb 23, 2014 7:08 am

jg3 wrote:I can't replicate the problem with VPN Server 1.2-2313 over L2TP/IPSec on DSM 4.3-3827.
I replicated the behavior on my system DSM 4.3-3827, the latest SVN Server package with OpenVPN protocol.
It's really danger situation so I've reported this issue to Synology and at the same time created vulnerability report on http://www.cert.org with reference number VRF#HRZWKDZQ.

User avatar
relax_nl
Apprentice
Apprentice
Posts: 93
Joined: Wed Jan 18, 2012 11:22 am
Location: The Hague, The Netherlands

Re: [security] [critical] default root:synopass gets VPN acc

Unread post by relax_nl » Tue Feb 25, 2014 1:12 am

If you use L2TP over IPSec for the VPN the connection without a Shared Secret shouldn't be possible.
I cannot replicate the bug when using L2TP/IPSec using package 1.2-2313.

Moreover, if root is an alias to admin, what if user admin is disabled and replace by a different user name with a different password?
DS1511+ (DSM OS 6) with Intel D525 Atom CPU (dual-core @ 1.8GHz), 3GB RAM ( 800MHz DDR2 ), SHR2 volume of 5x 4TB HDD
APC Back-UPS ES 700 (BE700G-GR)

KarlS
Beginner
Beginner
Posts: 22
Joined: Mon Jan 27, 2014 1:00 pm

Re: [security] [critical] default root:synopass gets VPN acc

Unread post by KarlS » Fri Feb 28, 2014 4:39 am

Hi Synology Team

Plesse fix this critical issue asap!!!!!!!!!!!!

BR

habanr
Experienced
Experienced
Posts: 138
Joined: Mon Feb 04, 2013 3:04 pm

Re: [security] [critical] default root:synopass gets VPN acc

Unread post by habanr » Fri Feb 28, 2014 8:46 am

I've reported the issue to the United States Computer Emergency Readiness Team. The issue is now confirmed by CERT and is in their database https://www.kb.cert.org/vuls/id/534284. I hope that this force Synology to act.

Locked

Return to “VPN Server”