CVE-2022-43931: Critical Vulnerability in Synology VPN Plus Server software

Network-attached storage (NAS) appliance maker Synology has informed customers that a critical vulnerability with a maximum (10/10) severity impacts its Synology VPN Plus Server software.

VPN Plus Server turns your Synology Router into an advanced VPN (virtual private network) server. This package allows users to access Internet resources and those in the local networks behind your Synology Router, simply through a VPN client or a web browser.

In the advisory rated as critical severity published last week, the company described a flaw that was discovered internally by Synology’s Product Security Incident Response Team (PSIRT) in the VPN Plus Server software.

The security flaw, tracked as CVE-2022-43931, is an out-of-bounds write issue in the remote desktop functionality of the VPN Plus Server. A remote attacker can exploit this flaw to execute arbitrary commands.

“A vulnerability allows remote attackers to possible execute arbitrary command via a susceptible version of Synology VPN Plus Server.” Synology wrote in a security advisory.

“Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors.”

Synology has addressed CVE-2022-43931 with security updates to patch the bug and advises customers to upgrade VPN Plus to the latest version as soon as possible.