Vulnerabilities in DrayTek Routers

 


DrayTek Routers Under Siege

DrayTek has recently released security updates for multiple router models, addressing 14 vulnerabilities of varying severity. Among these is a critical remote code execution (RCE) flaw, which has been assigned the maximum CVSS score of 10. Discovered by Forescout Research – Vedere Labs, these vulnerabilities affect both actively supported models and those that have reached their end of life. DrayTek’s swift response includes fixes for both categories due to the potential severity of the flaws.


Scope of the Vulnerabilities

Researchers have identified approximately 785,000 DrayTek routers that may be vulnerable, with over 704,500 of them having their web interface exposed to the internet—an alarming security risk.

Breakdown of Vulnerabilities

The majority of the vulnerabilities identified by Vedere Labs are medium-severity issues, including buffer overflow and cross-site scripting (XSS) problems, which typically require specific conditions to be exploited. However, five flaws stand out due to their significant risks and are summarized as follows:

  1. FSCT-2024-0006: A buffer overflow vulnerability in the "GetCGI()" function that processes HTTP request data, potentially leading to denial of service (DoS) or remote code execution (RCE). (CVSS score: 10.0)

  2. FSCT-2024-0007: Command injection vulnerability in the "recvCmd" binary, which facilitates communication between host and guest operating systems, allowing for potential VM escape. (CVSS score: 9.1)

  3. FSCT-2024-0014: The backend web server’s use of a static string for seeding the pseudo-random number generator (PRNG) in OpenSSL could lead to information disclosure and man-in-the-middle (MiTM) attacks. (CVSS score: 7.6)

  4. FSCT-2024-0001: The use of identical admin credentials across the system poses a risk of full system compromise if these credentials are obtained. (CVSS score: 7.5)

  5. FSCT-2024-0002: An HTML page in the web UI mishandles input, creating reflected XSS vulnerabilities. (CVSS score: 7.5)

Current Threat Landscape

As of now, there have been no reported cases of active exploitation of these vulnerabilities. The analytical details have been withheld to provide users with adequate time to apply the necessary security updates.

Impacted Models and Firmware Updates

These vulnerabilities affect 24 different router models, with 11 models being past their end-of-life yet still receiving crucial fixes. Users can find the target firmware versions and the list of affected models in DrayTek's official download portal.

Exposed Devices

Vedere Labs found that over 704,500 DrayTek devices have their Vigor Web user interface publicly accessible, which should ideally only be reachable from a local network. Notably, nearly half of the exposed devices are located in the United States, but significant numbers are also present in the United Kingdom, Vietnam, the Netherlands, and Australia.

Recommended Actions for Users

In addition to applying the latest firmware updates, DrayTek users are encouraged to implement the following security measures:

  • Disable Remote Access: If not required, ensure remote access is disabled. If it is necessary, employ access control lists and two-factor authentication.

  • Monitor Settings: Regularly check for unauthorized changes, including the addition of new admin users or remote access profiles.

  • Disable SSL VPN: Turn off SSL VPN connections using port 443 to reduce exposure.

  • Enable Syslog Logging: Activate logging to monitor for any suspicious activity.

  • Secure Browser Access: Enable auto-upgrades to HTTPS on your web browser.

All DrayTek users should verify that their device's remote access console is disabled, as these interfaces are common targets for exploits and brute force attacks.

Conclusion

The recent vulnerabilities identified in DrayTek routers highlight the critical importance of timely security updates and proactive measures. By staying informed and implementing recommended actions, users can significantly enhance the security of their networks and mitigate potential risks.


Source https://www.draytek.com

No comments:

Global Espionage? Chinese Cyber Centre Accuses U.S. of Tech Firm Hacks

  U.S. Accused of Cyberattacks and Trade Secret Theft by Chinese Cybersecurity Centre A Chinese cybersecurity organization has accused the U...