Synology has issued an advisory about a vulnerability that allows remote attackers to execute arbitrary commands through a susceptible version of Synology VPN Plus Server.
VPN Plus Server
VPN Plus Server allows users to turn their Synology Router into a Virtual Rrivate Network (VPN) server.
A VPN uses encryption to create a secure connection over a public network, such as the Internet. Consumer VPNs create a secure tunnel between a user and their VPN provider, so they can hide their browsing habits from their ISP and use their VPN provider’s IP address to connect to the Internet. Business VPNs create a tunnel between a user and the organization they work for, so they can access business information securely over the Internet.
The Synology VPN Plus Server is a business VPN that allows users to easily access and control client desktops within a network under a Synology Router, from anywhere, as long as they have Internet access, without further need of a client software.
Vulnerability
The Common Vulnerabilities and Exposures (CVE) database is a list of publicly disclosed computer security flaws. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability in VPN Plus Server got listed as CVE-2022-43931.
The vulnerability is described as an out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 which allows remote attackers to execute arbitrary commands via unspecified vectors. The CVSS score of the critical vulnerability is rated at 10 (out of 10).
An out-of-bounds write or read vulnerability makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.
The vulnerability was discovered internally by the Synology Product Security Incident Response Team (PSIRT). However, just because the problem wasn’t discovered by criminals, that doesn’t mean they won’t use it. Sometimes patches are reverse engineered by threat actors so they can understand what’s been fixed, create an exploit for it, and use it against unpatched systems.
The affected products are VPN Plus Server for SRM 1.3 which needs to be upgraded to 1.4.4-0635 or above, and VPN Plus Server for SRM 1.2 which needs to be upgraded to 1.4.3-0534 or above.
To upgrade VPN Plus Server, go to Package Center, stop the VPN Plus Server service and install the latest version via Package Center.
As a workaround, you can disable the Remote Desktop feature. To do so, click Synology VPN on the left panel of the management, and go to Remote Desktop, and untick Enable Remote Desktop.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.