Synology-SA-22:26 VPN Plus Server

Publish Time: 2022-12-30 18:25:08 UTC+8

Last Updated: 2023-01-03 13:27:44 UTC+8

Severity
Critical
Status
Resolved

Abstract

A vulnerability allows remote attackers to possible execute arbitrary command via a susceptible version of Synology VPN Plus Server.

Affected Products

Product Severity Fixed Release Availability
VPN Plus Server for SRM 1.3 Critical Upgrade to 1.4.4-0635 or above.
VPN Plus Server for SRM 1.2 Critical Upgrade to 1.4.3-0534 or above.

Mitigation

None

Detail

  • CVE-2022-43931
    • Severity: Critical
    • CVSS3 Base Score: 10.0
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    • Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors.

Acknowledgement

This issue was discovered internally by Synology PSIRT.

Revision

Revision Date Description
1 2022-12-30 Initial public release.