Synology has issued a patch for a severe vulnerability in the VPN Plus Servers that could be used to take control of systems remotely.
The vulnerability, now known as CVE-2022-43931, has a top severity score of 10 on the CVSS scale and is defined as an out-of-bounds write flaw in Synology VPN Plus Server's remote desktop feature.
The business added that successfully exploiting the flaw “enables remote attackers to run arbitrary commands through unknown vectors,” adding that its internal Product Security Incident Response Team had detected it.
Updates to versions 1.4.3-0534 and 1.4.4-0635 are recommended for users of VPN Plus Server for Synology Router Manager (SRM) 1.2 and 1.3, respectively.
It is not the first time Synology has had to fix a high-severity vulnerability in one of its products; in December 2022, it addressed several problems found in its Router Manager. A vulnerable version of Synology Router Manager enabled remote attackers to run arbitrary code, launch DDoS attacks, or access arbitrary files, according to a statement made at the time by the firm.
Although no CVEs were released for these flaws, we know that at the Pwn2Own Toronto 2022 hacking competition, at least two security professionals and teams successfully developed a proof-of-concept utilizing the Synology RT6600ax router. Gaurav Baruah, a researcher in cybersecurity, received $20,000 for successfully launching a command injection attack on the Synology RT6600ax's WAN interface.
It's crucial for users of Synology's VPN Plus Server to apply the latest updates to protect against the serious vulnerability that could allow for remote command execution. This is especially important given that this is not the first time Synology has had to address high-severity vulnerabilities in its products. Staying up-to-date with security patches and updates is essential for ensuring the safety and security of your systems.