This reports, among other things Caschy on his weblog. Synology has therefore discovered a vulnerability classified as critical in the VPN Plus Server for SRM application. Versions VPN Plus Server for SRM 1.3 and VPN Plus Server for SRM 1.2 are affected. Updates are available for both versions that plug the security hole.
Few details about the patch available
VPN Plus Server for SRM 1.3 users are recommended to update to 1.4.4-0635 or higher. VPN Plus Server users can upgrade to 1.4.3-0534 or later. So far, the company has not revealed much about the vulnerability. It is therefore not yet known whether this vulnerability is actively exploited or not. Either way, users should now act as soon as possible and run the update.
In the security warning Synology summarized the issue as follows:
“A vulnerability allows remote attackers to execute arbitrary commands through a vulnerable version of Synology VPN Plus Server.” Further details will only be released once the update has already reached the affected users. There is currently no corresponding CVE entry.
Security researcher Kevin Wang reported the vulnerability. Wang discovered a similar vulnerability back in October and reported it to the company.
See also:
