Patch Issued by Synology for Critical RCE Vulnerability Affecting VPN Plus Servers

Synology has issued security updates to fix a critical vulnerability in the VPN Plus Server that could be exploited to take control of affected systems.

The vulnerability, identified as CVE-2022-43931, carries a maximum CVSS severity rating of 10 and has been described as an out-of-bounds write flaw in the remote desktop functionality of Synology VPN Plus Server.

Successful exploitation of the vulnerability “permits remote attackers to execute arbitrary commands via unspecified vectors,” the Taiwanese company said, adding that its Product Security Incident Response Team discovered it internally (PSIRT).

It is recommended that users of VPN Plus Server for Synology Router Manager (SRM) 1.2 and VPN Plus Server for SRM 1.3 update to versions 1.4.3-0534 and 1.4.4-0635, respectively.

In a second advisory, the manufacturer of network-attached storage appliances warned of several vulnerabilities in SRM that could allow remote attackers to execute arbitrary commands, conduct denial-of-service attacks, or read arbitrary files.

Users are urged to upgrade to versions 1.2.5-8227-6 and 1.3.1-9346-3 to mitigate potential threats in the absence of specific information regarding the vulnerabilities.

The vulnerabilities were reported by Gaurav Baruah, CrowdStrike’s Lukas Kupczyk, DEVCORE researcher Orange Tsai, and Dutch IT security firm Computest.

Notably, some of the vulnerabilities were demonstrated at the Pwn2Own contest held in Toronto, Canada, between December 6 and 9, 2022.

Baruah was awarded $20,000 for a command injection attack against the WAN interface of the Synology RT6600ax, while Computest was awarded $5,000 for a command injection root shell exploit targeting the LAN interface.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
Open Source Software Hijacked By North Korean Hackers

October 1, 2022

Microsoft security experts warn that Lazarus is back. Lazarus Group, a well-known North Korean threat actor, has been observed carrying out a highly sophisticated, targeted malware attack that involves compromising popular open-source software and running spear phishing campaigns. As a…

Get more info

Deals

Reviews

Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer

BestTopReviewsOnline.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. As an Amazon Associate I earn from qualifying purchases.

 

Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 BestTopReviewsOnline.com Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of BestTopReviewsOnline.com.