Synology has issued a patch for a severe vulnerability in the VPN Plus Servers that could be used to take control of systems remotely.

The vulnerability, now known as CVE-2022-43931, has a top severity score of 10 on the CVSS scale and is defined as an out-of-bounds write flaw in Synology VPN Plus Server's remote desktop feature.

The business added that successfully exploiting the flaw "enables remote attackers to run arbitrary commands through unknown vectors," adding that its internal Product Security Incident Response Team had detected it.

Updates to versions 1.4.3-0534 and 1.4.4-0635 are recommended for users of VPN Plus Server for Synology Router Manager (SRM) 1.2 and 1.3, respectively.

It is not the first time Synology has had to fix a high-severity vulnerability in one of its products; in December 2022, it addressed several problems found in its Router Manager. A vulnerable version of Synology Router Manager enabled remote attackers to run arbitrary code, launch DDoS attacks, or access arbitrary files, according to a statement made at the time by the firm.

Although no CVEs were released for these flaws, we know that at the Pwn2Own Toronto 2022 hacking competition, at least two security professionals and teams successfully developed a proof-of-concept utilizing the Synology RT6600ax router. Gaurav Baruah, a researcher in cybersecurity, received $20,000 for successfully launching a command injection attack on the Synology RT6600ax's WAN interface.

It's crucial for users of Synology's VPN Plus Server to apply the latest updates to protect against the serious vulnerability that could allow for remote command execution. This is especially important given that this is not the first time Synology has had to address high-severity vulnerabilities in its products. Staying up-to-date with security patches and updates is essential for ensuring the safety and security of your systems.

 


 

Would you like to be a Power User? Sign up for "The Fix" our Mac Tips and Tricks newsletter here.
If you have any questions you can reach The MacGuys+ at 763-331-6227 or schedule an on-site visit here
Trusted Mac IT for business owners in Minneapolis, St. Paul, Twin Cities Metro, and Western WI Area! Nation Wide, Co-Managed, Work Anyplace Mac IT Support.

Used with permission from Article Aggregator