An exploitable information disclosure vulnerability exists in the HTTP redirection functionality of Synology QuickConnect servers. An attacker can impersonate the remote QuickConnect servers in order to impersonate the remote device and in turn steal the device’s credentials. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
Synology QuickConnect servers
8.3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE-757 - Selection of Less-Secure Algorithm During Negotiation (‘Algorithm Downgrade’)
Synology QuickConnect is a service that allows users to access Synology devices (routers, NAS, etc.) remotely. This feature requires a Synology account and users have to set it up from the device’s Web interface in order to use it. The setup also requires the user to choose an arbitrary “QuickConnect ID”, which will be used as a remote identifier for the device.
Once activated, the user is presented with a link that can be used to connect from anywhere via a browser, example: “http://QuickConnect.to/qcrouterid”, where “qcrouterid” is the previously chosen identifier. When browsing this link, the device is instructed (via a previously-established channel between device and Synology servers) to establish a VPN connection with the remote QuickConnect endpoint. At this point, requests performed by the browser will be relayed to the internal device Web interface on port 8001 by default (SSL).
The QuickConnect link, as provided by the device web interface, uses the “http” protocol, meaning that if an end-user was to use this link to connect to its device, a classic man-in-the-middle attack could be used to steal credentials.
Moreover, even if the end-user decided to change the link into “https”, the connection would be redirected to “http” :
$ curl -v "https://QuickConnect.to/qcrouterid" * Trying 18.104.22.168... * TCP_NODELAY set * Connected to QuickConnect.to (22.214.171.124) port 443 (#0) ... > GET /qcrouterid HTTP/2 > Host: QuickConnect.to > User-Agent: curl/7.64.1 > Accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 128)! < HTTP/2 302 < content-type: text/html < content-length: 138 < location: http://qcrouterid.quickconnect.to/https_first  < server: nginx < <html> <head><title>302 Found</title></head> <body> <center><h1>302 Found</h1></center> <hr><center>nginx</center> </body> </html> * Connection #0 to host QuickConnect.to left intact * Closing connection 0
Note that the severity of this issue gets aggravated by the bug described in TALOS-2020-1059. By exploiting both bugs together, an attacker can force the user’s browser to provide a valid cookie via the unencrypted HTTP connection.
2020-05-01 - Vendor disclosure
2020-06-02 - Disclosure release deadline requested and Talos extended to 2020-09-30
2020-06-22 - 2nd extension requested; disclosure extended to 2020-10-30
2020-10-29 - Public Release
Discovered by Claudio Bozzato of Cisco Talos.