WARNING: CRITICAL VULNERABILITY IN SYNOLOGY VPN PLUS SERVER

Reference:
Advisory #2023-01

Version:
1.0

Affected software:
Synology VPN Plus Server for SRM 1.2 before 1.4.3-0534
Synology VPN Plus Server for SRM 1.3 before 1.4.4-0635

Type:
Remote Code Excution (RCE)

CVE/CVSS:
CVE-2022-43931 (CVSS:10.0)

Sources

https://www.synology.com/en-us/security/advisory/Synology_SA_22_26

Risks

Exploiting vulnerability CVE-2022-43931 in the Synology VPN Plus server could be exploited by a remote unauthenticated attacker. The attack does not require any user interaction and can be executed remotely without privileges.

Because this is a VPN server, the attacker can use this Remote Code Execution (RCE) vulnerability to get access to your internal network which can lead to a full compromise of your systems.

The impact on Confidentiality, Integrity and Availability is HIGH.

Description

Synology VPN Plus Server is a virtual private network server that allows administrators to set up Synology routers as a VPN server to allow remote access to resources behind the router.

CVE-2022-43931 is a critical out-of-bounds write vulnerability in the Remote Desktop Functionality in Synology VPN Plus Server for SRM 1.3 and 1.2 before 1.4.4-0635 and 1.4.3-0534 respectively, which allows unauthenticated remote attackers to execute arbitrary commands via unspecified vectors.

Recommended Actions

The Centre for Cybersecurity Belgium recommends system administrators to patch their Synology devices with versions 1.4.4-0635 or above and 1.4.3-0534 or above.

Disconnect vulnerable devices that are connected to the internet if there is no business use-case.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident

References

https://www.bleepingcomputer.com/news/security/synology-fixes-maximum-severity-vulnerability-in-vpn-routers/
https://securityaffairs.com/140288/security/synology-fixes-critical-flaws-routers.html
https://nvd.nist.gov/vuln/detail/CVE-2022-43931