OpenVPN (DSM) 4.3-3810 has a hardcoded root password of synopass

Credit: synology
Risk: High
Local: No
Remote: Yes
CWE: CWE-200

CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: None
Availability impact: None

The default password for user 'root' is 'synopass' and as far as I know there is no way to change it. Trying to log in as root through the Web interface or SSH with that password results in authentication failure (you need to use admin's password for SSH - in fact user 'root' here seems to be an alias for user 'admin' for authentication reasons, and there doesn't seem to be a way to log in as root from the Web interface). However, when enabling the VPN server, root:synopass will get you authenticated and connected! User 'root' does not appear under the users that may get VPN access (VPN server > Privilege) and, again, there doesn't seem to be a way to change the root password or disable that user from connecting to the VPN. Can someone verify this? And can we get a fix asap please? I'm using the latest version of "DSM 4.3-3810 update 1" and the VPN server application. EDIT: One quick and dirty solution is to edit your VPN configuration (should be under /usr/syno/etc/packages/VPNCenter/openvpn/) and substitute the plugin which does the user authentication with something of your own. For instance, since the system has sqlite3 installed, you can write your own bash/perl/python script that maintains an SQLite3 database file with authorized users and their passwords and use that instead. Every time someone will try to connect, OpenVPN will hand off their credentials to your script and expect back 0 for success or 1 for failure. Now you are in true control of the authorized users! Like I said though, it's a hack. You won't get any support from the DSM Web interface. Reference: "auth-user-pass-verify" in ... l#examples


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018,


Back to Top