Headline
CVE-2023-2729: Synology_SA_23_07 | Synology Inc.
Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskStation Manager (DSM) before 7.2-64561 allows remote attackers to obtain user credential via unspecified vectors.
Abstract
A vulnerability allows remote attackers to obtain user credential via a susceptible version of Synology DiskStation Manager (DSM).
Affected Products
Product
Severity
Fixed Release Availability
DSM 7.2
Moderate
Upgrade to 7.2-64561 or above.
DSM 7.1
Moderate
Will not fix
DSM 7.0
Moderate
Will not fix
DSM 6.2
Moderate
Will not fix
DSMUC 3.1
Moderate
Will not fix
Mitigation
None
Detail
- CVE-2023-2729
- Severity: Moderate
- CVSS3 Base Score: 5.9
- CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskStation Manager (DSM) before 7.2-64561 allows remote attackers to obtain user credential via unspecified vectors.
Acknowledgement
Claroty Research - Vera Mens, Uri Katz, Noam Moshe, Sharon Brizinov
Revision
Revision
Date
Description
1
2023-06-13
Initial public release.
Related news
A medium-severity flaw has been discovered in Synology's DiskStation Manager (DSM) that could be exploited to decipher an administrator's password and remotely hijack the account. "Under some rare conditions, an attacker could leak enough information to restore the seed of the pseudorandom number generator (PRNG), reconstruct the admin password, and remotely take over the admin account,"