Synology DiskStation Manager has a critical vulnerability wherein VPN module has a hard-coded password for root, which attackers can use to connect to Synology device and possibly other devices on the shared network.
According to a forum post, which was first created on December 1, 2013, the hard-coded root password is ‘synopass’. Users will not be able to logon to the web interface of the device using the root:synopass combination; however, “when enabling the VPN server, root:synopass will get you authenticated and connected!”
“User ‘root’ does not appear under the users that may get VPN access (VPN server > Privilege) and, again, there doesn’t seem to be a way to change the root password or disable that user from connecting to the VPN”, notes the tesla563 who first reported the issue on the Synology forums.
The issue has now found its way to CERT’s Vulnerability Notes Database and the write-up notes that there is no practical solution to the vulnerability. CERT notes that users of this particular device can “disable the OpenVPN module inside the Synology DiskStation Manager administrative interface.”
Those who are not willing to disable it completely can go about editing the OpenVPN server configuration file located at “/usr/syno/etc/packages/VPNCenter/openvpn/” and use an authentication plugin other than the default one.
Further, Synology has been aware of the issue and the company hasn’t released any patch or hot fix to resolve the issue, but has rather replied “It’s a known issue and will be fixed in the next VPN server release. Apologies for your inconvenience”, when one of the users reported the issue through the company’s support form.