Threat Watch

Synology Patches Severe Vulnerabilities in VPN Product

Synology has released a patch for a critical vulnerability (CVE-2022-43931) in their VPN Plus Server product, discovered by their internal Product Security Incident Response Team (PSIRT). PSIRT marked this vulnerability with a CVSS3 score of 10, the highest possible severity rating. The vulnerability achieved this rating due to the low level of complexity required to exploit it.

The VPN Plus Server vulnerability is described by NIST as an “Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors.” The vulnerable product version and patched version numbers are as follows:

ProductFixed Release Availability
VPN Plus Server for SRM 1.3Upgrade to 1.4.4-0635 or above
VPN Plus Server for SRM 1.2Upgrade to 1.4.3-0534 or above

ANALYST NOTES

Synology urges all VPN Plus Server for SRM (Synology Router Manager) users patch as soon as possible to the latest version. Users can apply updates by:

1. Logging into Synology Desktop environment
2. Opening the Package Center app
3. Click Update on the left panel to see available updates. Click the Update buttons or Update All to update packages.

https://www.bleepingcomputer.com/news/security/synology-fixes-maximum-severity-vulnerability-in-vpn-routers/

https://nvd.nist.gov/vuln/detail/CVE-2022-43931

https://www.synology.com/en-us/security/advisory/Synology_SA_22_26

https://kb.synology.com/en-nz/SRM/help/SRM/PkgManApp/manage?version=1_2