Technology NewsSynology Releases Patch for Critical RCE Vulnerability Affecting VPN...

Synology Releases Patch for Critical RCE Vulnerability Affecting VPN Plus Servers

-


Jan 04, 2023Ravie LakshmananVPN / Server Security

Synology Releases Patch for Critical RCE Vulnerability Affecting VPN Plus Servers

Synology has released security updates to address a critical flaw impacting VPN Plus Server that could be exploited to take over affected systems.

Tracked as CVE-2022-43931, the vulnerability carries a maximum severity rating of 10 on the CVSS scale and has been described as an out-of-bounds write bug in the remote desktop functionality in Synology VPN Plus Server.

Successful exploitation of the issue “allows remote attackers to execute arbitrary commands via unspecified vectors,” the Taiwanese company said, adding it was internally discovered by its Product Security Incident Response Team (PSIRT).

Users of VPN Plus Server for Synology Router Manager (SRM) 1.2 and VPN Plus Server for SRM 1.3 are advised to update to versions 1.4.3-0534 and 1.4.4-0635, respectively.

The network-attached storage appliance maker, in a second advisory, also warned of several flaws in SRM that could permit remote attackers to execute arbitrary commands, conduct denial-of-service attacks, or read arbitrary files.

Exact details about the vulnerabilities have been withheld, with the users urged to upgrade to versions 1.2.5-8227-6 and 1.3.1-9346-3 to mitigate potential threats.

Gaurav Baruah, CrowdStrike’s Lukas Kupczyk, DEVCORE researcher Orange Tsai, and Netherlands-based IT security firm Computest have been credited for reporting the weaknesses.

It’s worth noting that some of the vulnerabilities were demonstrated at the 2022 Pwn2Own contest held between December 6 and 9, 2022, at Toronto.

Baruah earned $20,000 for a command injection attack against the WAN interface of the Synology RT6600ax, while Computest netted $5,000 for a command injection root shell exploit aimed at its LAN interface.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest news

follow the Galaxy Unpacked 2023 live

We tell you how you can follow the Unpacked 2023 event live and online. join the conversationThe day...

அண்டார்டிகாவில் பிரண்ட் ஐஸ் ஷெல்ஃப் உடைகிறது – சான் பிரான்சிஸ்கோவின் 12 மடங்கு பெரிய பனிப்பாறையை உருவாக்குகிறது

கோப்பர்நிக்கஸ் சென்டினல்-2 செயற்கைக்கோளில் இருந்து எடுக்கப்பட்ட இந்த படங்கள், பிரண்ட் ஐஸ் ஷெல்ஃபில் இருந்து பிரிந்து சென்ற பாரிய பனிக்கட்டியின் முன்னும் பின்னும் இருப்பதைக்...

AMD Radeon 780M – upcoming graphics chip almost as good as NVIDIA GeForce RTX 2050

The first tests of the upcoming system from the red Radeon 780M based on the RDNA 3 architecture...

Experts Warn of ‘Ice Breaker’ Cyberattacks Targeting Gaming and Gambling Industry

Feb 01, 2023Ravie LakshmananGaming / Cyber Attack A new attack campaign has targeted the gaming and gambling sectors since...

The revolution of self-driving vehicles is advancing at a snail’s pace, so investors are spending their money differently

The promise that autonomous vehicles will cover the roads and transform transportation will not come to fruition for...

New Sh1mmer ChromeBook exploit unenrolls managed devices

A new exploit called ‘Sh1mmer’ allows users to unenroll an enterprise-managed Chromebook, enabling them to install any apps...

Must read