Taiwan-based NAS manufacturer Synology has patched a maximum severity (10/10) vulnerability affecting routers configured to function as VPN servers.
Vulnerability, tracked as CVE-2022-43931was discovered internally by Synology’s Product Security Incident Response Team (PSIRT) in VPN Plus Server software and given a maximum CVSS3 Base Score of 10 by the company.
VPN Plus Server is a virtual private network server that allows administrators to configure Synology routers as a VPN server to enable remote access to resources behind the router.
The vulnerability can be exploited in low complexity attacks without requiring privileges on the targeted routers or user interaction.
“Vulnerability allows remote attackers to execute arbitrary command via sensitive version of Synology VPN Plus Server,” Synology said in a security advisory released Friday.
“Out-of-bounds write vulnerability in remote desktop feature in Synology VPN Plus Server prior to 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands through unspecified vectors.”
Out-of-bounds write vulnerabilities can lead to serious impacts, such as data corruption, system crashes, and code execution due to memory corruption.
Synology has released security updates to fix the bug and advises customers to upgrade VPN Plus Server for SRM (Synology Router Manager) to the latest available version.
|Product||Fixed version availability|
|VPN Server Plus for SRM 1.3||Upgrade to 1.4.4-0635 or higher|
|VPN Server Plus for SRM 1.2||Upgrade to 1.4.3-0534 or higher|
Last month, Synology released a second opinion classified as critical severity and announced that it has fixed several security vulnerabilities in Synology Router Manager.
“Multiple vulnerabilities allow remote attackers to execute arbitrary commands, conduct denial of service attacks, or read arbitrary files through a sensitive version of Synology Router Manager (SRM),” the company said. said.
Although Synology did not list the CVE identifiers of the security flaws, several researchers and teams are credited for reporting the fixed bugs, with at least two of them successfully demonstrating zero-day exploits targeting the Synology RT6600ax router during the first day of the Pwn2Own Toronto Hacking Contest 2022.
Gaurav Baruah won $20,000 for execute a command injection attack against the WAN interface of Synology RT6600ax.
Computest, which was also credited in the December review, demonstrated a command injection root shell exploit targeting the LAN interface of the same Synology router.