Synology has issued security updates to fix a critical vulnerability in the VPN Plus Server that could be exploited to take control of affected systems.
The vulnerability, identified as CVE-2022-43931, carries a maximum CVSS severity rating of 10 and has been described as an out-of-bounds write flaw in the remote desktop functionality of Synology VPN Plus Server.
Successful exploitation of the vulnerability “permits remote attackers to execute arbitrary commands via unspecified vectors,” the Taiwanese company said, adding that its Product Security Incident Response Team discovered it internally (PSIRT).
It is recommended that users of VPN Plus Server for Synology Router Manager (SRM) 1.2 and VPN Plus Server for SRM 1.3 update to versions 1.4.3-0534 and 1.4.4-0635, respectively.
In a second advisory, the manufacturer of network-attached storage appliances warned of several vulnerabilities in SRM that could allow remote attackers to execute arbitrary commands, conduct denial-of-service attacks, or read arbitrary files.
Users are urged to upgrade to versions 1.2.5-8227-6 and 1.3.1-9346-3 to mitigate potential threats in the absence of specific information regarding the vulnerabilities.
The vulnerabilities were reported by Gaurav Baruah, CrowdStrike’s Lukas Kupczyk, DEVCORE researcher Orange Tsai, and Dutch IT security firm Computest.
Notably, some of the vulnerabilities were demonstrated at the Pwn2Own contest held in Toronto, Canada, between December 6 and 9, 2022.
Baruah was awarded $20,000 for a command injection attack against the WAN interface of the Synology RT6600ax, while Computest was awarded $5,000 for a command injection root shell exploit targeting the LAN interface.
