Synology finally patches major risk flaw in its VPN routers. Router maker sinology just recently spotted a 10/10 flaw in many of its products.
Synology Finally Patches Major Risk Flaw in Its VPN Routers
Synology has now patched a vulnerability spotted in its router software, and this vulnerability has been rated maximum severity of 10/10.
According to an advisory that was recently released by the NAS maker, the said vulnerability was seen in its VPN Plus Server software, and right now it is being tracked as CVE-2022-43931. The software in question lets the routers to be configured as VPN servers and then enables remote access to the endpoints behind that router.
Threat actors apparently can exploit the flaw in low-complexity attacks and would however not require any privileges or any form of user interaction in order to get access with an extensive list of potential damage.
What the Advisory Released By Sinology States
“A vulnerability allows remote attackers to possibly execute arbitrary command via a susceptible version of Synology VPN Plus Server,” the advisory states. “Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors.”
Out-of-bounds write vulnerabilities allow for the corruption of data, system crashes, as well as the execution of code following memory corruption, BleepingComputer explained.
This is not the first time that Synology has had to address a high severity in its products and services. The company back in December last year patched various flaws discovered in its Router Manager.
What the Company Has To Say About the Development
“Multiple vulnerabilities allow remote attackers to execute arbitrary command, conduct denial-of-service attacks or read arbitrary files via a susceptible version of Synology Router Manager (SRM),” the company at the time said.
No CVEs were published for these sorts of vulnerabilities, but we however do know that two security experts and teams at least were successful at creating proof-of-concept making use of Synology RT6600ax router, during the Pwn2Own Toronto hacking contest.
Gaurav Baruah, a cybersecurity researcher was awarded $20,000 for running a command injection attack against the WAN interface of the Synology RT6600ax successfully.
Sinology Patched a Couple of Flaws Affecting Many Products Last Year
The company back in April last year announced patching a couple of flaws affecting many products: “Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM),” the company in an advisory said back then.