The company Synology warns of a security gap in the VPN Plus Server for the router operating systems. Manufacturers and the Federal Office for Information Security (BSI) classify the risk of the vulnerability differently. While Synology rates it as moderate, the BSI assumes a critical gap.
In the Security Advisory remains Synology very vague. Attackers from the network could inject SQL commands into vulnerable versions of Synology VPN Plus Server, the authors only write. There is no CVE number yet, but the impact is moderate. There are no temporary countermeasures.
Synology Vulnerability: Moderate or Critical Risk?
On the CERT-Bund website is managed by the BSI the vulnerability as well. However, the IT experts there explain, contrary to the Synology description, that attackers could manipulate files without logging in. This is associated with a critical security risk, the CVSS value of the BSI is attached 9.1 (critical).
Updates to close the gap in the VPN Plus Server Synology has so far provided for Synology Router Manager (SRM)-Firmware 1.3 ready. version 1.4.6-0685 or newer seal the leak. Users who are still using SRM 1.2 will be supplied later. According to Synology’s security report, the update is still in progress. Administrators should apply the available patch quickly.
The BSI prefers to be on the cautious side in its risk assessment. About a month ago, it initially warned of a supposedly critical vulnerability in the NTP server with a CVSS value of 9.8. Later, after a more detailed analysis, the BSI downgraded the rating of the vulnerability to CVSS 4.0 (medium). Synology last New Year’s Eve warned of a critical vulnerability in the VPN Plus server. The company published the details and CVE entry five days after the warning.
(dmk)
