Synology: Synology SSL VPN Client Vulnerability Enabled Remote Access to Sensitive Files

Synology Patches Critical Vulnerabilities in SSL VPN Client

Synology has released a security update addressing two significant vulnerabilities in its SSL VPN Client, a tool widely used to establish encrypted connections to internal networks. Tracked under advisory Synology-SA-26:05, these flaws could enable remote attackers to access sensitive system files and intercept secure traffic, potentially bypassing perimeter defenses.

The first vulnerability, CVE-2021-47960 (CVSS 6.5), stems from improper access controls on files and directories within the VPN client’s installation path. Attackers could exploit this by tricking users into visiting a malicious webpage, leveraging a local HTTP server to extract sensitive data, including application configurations, security certificates, and connection logs.

The second flaw, CVE-2021-47961 (CVSS 8.1), is more severe, involving the insecure plaintext storage of user passwords. Exploiting this weakness also requiring user interaction via a malicious link could allow attackers to access or manipulate a user’s PIN, compromise VPN configurations, and intercept network traffic.

Both vulnerabilities rely on social engineering tactics, such as phishing, to execute. While they cannot be exploited without victim involvement, successful attacks could undermine the security of VPN-encrypted tunnels, exposing corporate and personal data.

Security researcher Laurent Sibilla discovered and reported the issues. Synology has resolved them in SSL VPN Client version 1.4.5-0684 or later, with no available workarounds making immediate patching the only effective defense. Administrators are advised to verify endpoint updates, particularly for remote workers, to mitigate risks to network infrastructure.

Source: https://gbhackers.com/synology-ssl-vpn-client-vulnerability/

Synology cybersecurity rating report: https://www.rankiteo.com/company/synology

"id": "SYN1776147816",
"linkid": "synology",
"type": "Vulnerability",
"date": "1/2021",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Technology (Networking/Storage Solutions)',
                        'name': 'Synology',
                        'type': 'Company'}],
 'attack_vector': 'Phishing (Social Engineering)',
 'data_breach': {'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Application configurations',
                                              'Security certificates',
                                              'Connection logs',
                                              'User passwords',
                                              'VPN configurations',
                                              'Network traffic']},
 'description': 'Synology has released a security update addressing two '
                'significant vulnerabilities in its SSL VPN Client, a tool '
                'widely used to establish encrypted connections to internal '
                'networks. These flaws could enable remote attackers to access '
                'sensitive system files and intercept secure traffic, '
                'potentially bypassing perimeter defenses.',
 'impact': {'data_compromised': 'Sensitive system files, application '
                                'configurations, security certificates, '
                                'connection logs, user passwords, VPN '
                                'configurations, network traffic',
            'operational_impact': 'Potential bypass of perimeter defenses, '
                                  'interception of secure traffic',
            'systems_affected': 'Synology SSL VPN Client'},
 'investigation_status': 'Resolved (Patches released)',
 'lessons_learned': 'Importance of secure storage of sensitive data (e.g., '
                    'passwords) and proper access controls in VPN clients. '
                    'Need for immediate patching to mitigate risks.',
 'post_incident_analysis': {'corrective_actions': ['Released security update '
                                                   '(SSL VPN Client version '
                                                   '1.4.5-0684 or later)',
                                                   'Immediate patching '
                                                   'recommended'],
                            'root_causes': ['Improper access controls on '
                                            'files/directories',
                                            'Insecure plaintext storage of '
                                            'user passwords']},
 'recommendations': 'Administrators should verify endpoint updates, '
                    'particularly for remote workers, to mitigate risks to '
                    'network infrastructure. No workarounds are available, '
                    'making patching the only effective defense.',
 'references': [{'source': 'Synology Security Advisory'},
                {'source': 'Researcher Laurent Sibilla'}],
 'response': {'communication_strategy': 'Security advisory (Synology-SA-26:05) '
                                        'issued to administrators',
              'containment_measures': 'Security update released (SSL VPN '
                                      'Client version 1.4.5-0684 or later)',
              'remediation_measures': 'Immediate patching of SSL VPN Client'},
 'stakeholder_advisories': 'Administrators advised to verify endpoint updates '
                           'for remote workers.',
 'title': 'Synology Patches Critical Vulnerabilities in SSL VPN Client',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': ['CVE-2021-47960', 'CVE-2021-47961']}