Synology has released a patch for a critical vulnerability (CVE-2022-43931) in their VPN Plus Server product, discovered by their internal Product Security Incident Response Team (PSIRT). PSIRT marked this vulnerability with a CVSS3 score of 10, the highest possible severity rating. The vulnerability achieved this rating due to the low level of complexity required to exploit it.
The VPN Plus Server vulnerability is described by NIST as an “Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors.” The vulnerable product version and patched version numbers are as follows:
| Product | Fixed Release Availability |
| VPN Plus Server for SRM 1.3 | Upgrade to 1.4.4-0635 or above |
| VPN Plus Server for SRM 1.2 | Upgrade to 1.4.3-0534 or above |
Analyst Notes
Synology urges all VPN Plus Server for SRM (Synology Router Manager) users patch as soon as possible to the latest version. Users can apply updates by:
1. Logging into Synology Desktop environment
2. Opening the Package Center app
3. Click Update on the left panel to see available updates. Click the Update buttons or Update All to update packages.
https://www.bleepingcomputer.com/news/security/synology-fixes-maximum-severity-vulnerability-in-vpn-routers/
https://nvd.nist.gov/vuln/detail/CVE-2022-43931
https://www.synology.com/en-us/security/advisory/Synology_SA_22_26
https://kb.synology.com/en-nz/SRM/help/SRM/PkgManApp/manage?version=1_2
