Recherche : [DSM] - Cyberveille

When Backups Open Backdoors: Accessing Sensitive Cloud Data via "Synology Active Backup for Microsoft 365" / modzero https://modzero.com/en/blog/when-backups-open-backdoors-synology-active-backup-m365/

11/07/2025 21:32:34

We discovered a leaked credential that allowed anyone unauthorized access to all Microsoft tenants of organizations that use Synology’s “Active Backup for Microsoft 365” (ABM). This flaw could be leveraged by malicious actors to obtain potentially sensitive information — such as all messages in Microsoft Teams channels. It was reported to Synology and tracked as CVE-2025-4679.

This blog post contains the full technical walk-through and discovery of the vulnerability, its impact, and our experience during the responsible disclosure process with Synology.

The standalone disclosure report is available on our advisory page and potential Indicators of Compromise (IoC) are provided in a dedicated section further below.

Background
During a red-team engagement against a customer’s Microsoft Entra tenant and Azure infrastructure we came across an application named “Synology Active Backup for M365”.

The application had broad permissions — such as read access to all groups and Microsoft Teams channel messages — making it an ideal target to obtain information that may be useful for further attacks (i.e. credential abuse or social engineering).

To analyze it, we created our own lab environment consisting of a Microsoft sandbox tenant and the ABM add-on installed within Synology’s DiskStation Manager (DSM) operating system. For research purposes it is not necessary to have a Synology NAS appliance, as the entire OS can be virtualized via Docker. We also built some tools along the way, which can be helpful to reverse engineer DSM add-on packages. We will share them for other security researchers on our GitHub soon.

Synology NAS DSM Account Takeover: When Random is not Secure https://claroty.com/team82/research/synology-nas-dsm-account-takeover-when-random-is-not-secure

18/10/2023 09:20:23

Team82 has uncovered the use of a weak random number generator in Synology’s DiskStation Manager (DSM) Linux-based operating system running on the company’s network-attached storage (NAS) products
The insecure Math.random() method was used to generate the password of the admin password for the NAS device itself.
Under some rare conditions, an attacker could leak enough information to restore the seed of the pseudorandom number generator (PRNG), reconstruct the admin password, and remotely take over the admin account.
The vulnerability, tracked as CVE-2023-2729, has been addressed by Synology. Synology’s advisory is here.

Liens par page

Filtres