Synology warns of a critical vulnerability in the VPN Plus server

Synology is warning of a critical vulnerability in VPN Plus Server shortly before the end of the year. This can be installed as additional software on Synology routers and then turned into a VPN hub. Attackers can use this to execute arbitrary commands.

Synology is still currently blocking details: The vulnerability allows attackers to remotely execute any commands via a vulnerable version of Synology VPN Plus Server, the manufacturer explains only briefly. It also contains security message And do note that there is no temporary solution. Gap was reported by Kevin Wang. It doesn’t look like a CVE entry has been booked yet. A concrete CVSS result is also missing. However, Synology rates the gap as critical.

Update available

affected VPN Plus server for SRM 1.3 Such as VPN Plus server for SRM 1.2. The release fixes a bug 1.4.4-0635 (for version 1.3) respectively 1.4.3-0534 (for section 1.2).

The manufacturer does not explain how to obtain the update. From the description of the VPN Plus Server service, it can be concluded that the software must be installed and updated in the Package Center of the Synology user interface. If you are using the VPN Plus package, you should quickly install the available updated versions.

About a week ago, Synology closed critical security vulnerabilities in the Synology Router Manager (SRM) operating system – there too without explaining more details about the vulnerabilities or naming CVE entries.

The last time a warning was detailed in more detail was in October of this year. Synology’s out-of-band management vulnerabilities were the reason attackers could push any code into the provider’s network storage. At the time, these already had CVE entries and the highest possible CVSS value, 10.0.

(DMK)