Taiwan-based NAS maker Synology has addressed a maximum (10/10) severity vulnerability affecting routers configured to run as VPN servers.
The vulnerability, tracked as CVE-2022-43931, was discovered internally by Synology’s Product Security Incident Response Team (PSIRT) in the VPN Plus Server software and was given a maximum CVSS3 Base Score of 10 by the company.
VPN Plus Server is a virtual private network server that allows administrators to set up Synology routers as a VPN server to allow remote access to resources behind the router.
The vulnerability can be exploited in low-complexity attacks without requiring privileges on the targeted routers or user interaction.
“A vulnerability allows remote attackers to possible execute arbitrary command via a susceptible version of Synology VPN Plus Server,” Synology said in a security advisory published on Friday.
“Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors.”
Out-of-bounds write vulnerabilities can result in severe impacts, such as data corruption, system crashes, and code execution following memory corruption.
Synology has released security updates to patch the bug and advises customers to upgrade VPN Plus Server for SRM (Synology Router Manager) to the latest available version.
|Product||Fixed Release Availability|
|VPN Plus Server for SRM 1.3||Upgrade to 1.4.4-0635 or above|
|VPN Plus Server for SRM 1.2||Upgrade to 1.4.3-0534 or above|
Last month, Synology issued a second advisory rated as critical severity and announced that it had patched multiple security vulnerabilities in the Synology Router Manager.
“Multiple vulnerabilities allow remote attackers to execute arbitrary command, conduct denial-of-service attacks or read arbitrary files via a susceptible version of Synology Router Manager (SRM),” the company said.
While Synology didn’t list the security flaws’ CVE IDs, multiple researchers and teams are credited for reporting the patched bugs, with at least two of them having successfully demoed zero-day exploits targeting the Synology RT6600ax router during the first day of the Pwn2Own Toronto 2022 hacking contest.
Gaurav Baruah earned $20,000 for executing a command injection attack against the WAN interface of the Synology RT6600ax.
Computest, which was also credited in the critical December advisory, demoed a command injection root shell exploit targeting the LAN interface of the same Synology router.