Ddos 
Synology has released an essential security update for its SSL VPN Client utility, addressing two “Important” severity vulnerabilities that could lead to sensitive data exposure and unauthorized traffic interception. These flaws highlight the risks associated with local services and insecure credential storage in remote access tools.
Administrators and remote workers utilizing the Synology ecosystem are urged to verify their client versions immediately to prevent potential exploitation.
The advisory details two distinct attack vectors that could compromise the integrity of a user’s secure connection.
- Information Disclosure via Loopback (CVE-2021-47960)
The first vulnerability, carrying a CVSS score of 6.5, involves a failure to properly restrict access to files or directories. According to the advisory, this flaw “allows remote attackers to access files within the installation directory via a local HTTP server bound to the loopback interface”. If a user interacts with a specially crafted web page, an attacker could silently “retrieve sensitive files such as configuration files, certificates, and logs, leading to information disclosure”. - PIN Manipulation and Traffic Interception (CVE-2021-47961)
The more severe of the two issues, with a CVSS score of 8.1, stems from the plaintext storage of passwords.
This vulnerability “allows remote attackers to obtain or manipulate the PIN code in SSL VPN Client”. Similar to the first flaw, this attack requires user interaction with a malicious web page, but its impact is significantly higher, “potentially leading to unauthorized VPN configuration and traffic interception”.
There are no known workarounds for these vulnerabilities, making the installation of the security patch mandatory for secure operations.
- Affected Product: Synology SSL VPN Client before version 1.4.5-0684.
- The Fix: Users must “Upgrade to 1.4.5-0684 or above” to mitigate these risks.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
