Synology has released a security update to address a critical flaw affecting VPN Plus Server that can be exploited to hijack affected systems.
The vulnerability, tracked as CVE-2022-43931, has a severity rating of up to 10 on the CVSS scale and is described as an out-of-bounds write bug in the remote desktop functionality of Synology VPN Plus Server.
Successful exploitation of this issue “allows a remote attacker to execute arbitrary commands via an unspecified vector,” the Taiwanese company said, allowing internal security clearances by its Product Security Incident Response Team (PSIRT) to added that it was found in
Users of VPN Plus Server for Synology Router Manager (SRM) 1.2 and VPN Plus Server for SRM 1.3 are recommended to update to version 1.4.3-0534 and 1.4.4-0635 respectively.
In a second advisory, network-attached storage appliance manufacturers list several SRMs that could allow remote attackers to execute arbitrary commands, perform denial-of-service attacks, and read arbitrary files. I also warned you about some flaws.
Exact details about the vulnerability have been withheld as we urged users to upgrade to versions 1.2.5-8227-6 and 1.3.1-9346-3 to mitigate potential threats.
Gaurav Baruah, CrowdStrike’s Lukas Kupczyk, DEVCORE researcher Orange Tsai, and Dutch-based IT security firm Computest are credited for reporting the vulnerability.
It’s worth noting that some of the vulnerabilities were demonstrated at the 2022 Pwn2Own competition in Toronto, December 6-9, 2022.
Baruah made $20,000 for a command injection attack on the WAN interface of the Synology RT6600ax, and Computest made $5,000 for a command injection root shell exploit targeting the LAN interface.
