Synology-SA-22:26 VPN Plus Server
Publish Time: 2022-12-30 18:25:08 UTC+8
Last Updated: 2023-01-03 13:27:44 UTC+8
- Severity
- Critical
- Status
- Resolved
Abstract
A vulnerability allows remote attackers to possible execute arbitrary command via a susceptible version of Synology VPN Plus Server.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| VPN Plus Server for SRM 1.3 | Critical | Upgrade to 1.4.4-0635 or above. |
| VPN Plus Server for SRM 1.2 | Critical | Upgrade to 1.4.3-0534 or above. |
Mitigation
None
Detail
- CVE-2022-43931
- Severity: Critical
- CVSS3 Base Score: 10.0
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors.
Acknowledgement
This issue was discovered internally by Synology PSIRT.
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2022-12-30 | Initial public release. |