700K+ DrayTek routers are a rarity on the Internet • The registry

Fourteen newly found bugs in DrayTek Vigor routers – including one critical remote code execution flaw that received a perfect CVSS severity rating of 10 out of 10 – could be exploited by scammers looking to take control of the equipment and then steal sensitive data steal and deploy ransomware and launch denial-of-service attacks.

An estimated 785,000 of these devices use Wi-Fi networks.

Most of the vulnerabilities are in the routers’ web-based user interface, so if a miscreant can reach that service on the local network or over the public Internet, they can exploit the holes to take control of the box and then launch other attacks . on connected machines.

Despite Draytek’s warning that the control panels of these Vigor routers should only be accessible from a local network, Forescout Research’s Vedere Labs (PDF) found more than 704,000 DrayTek boxes that expose their web interface to the public Internet, ready and ripe for exploitation. Most of these (75 percent) are used by companies, we are told.

Plus, 38 percent of vulnerable devices remain susceptible to similar flaws that Trellix warned about two years ago.

DrayTek’s vulnerabilities are consistently exploited by threat actors, especially by Chinese APTs

The 14 newly found vulnerabilities affect 24 models, some of which are at end of life or end of sale. But due to the severity of the flaws, Taiwan-based DrayTek has released patches for all 14 CVEs for both supported and end-of-life routers.

There are also some steps users should take to determine if their device has already been compromised, as well as general best practices to limit future exploitation of similar bugs.

These include disabling remote access capabilities when not needed, making it more difficult for someone remotely to reach the web user interface. And if these capabilities are needed, enable two-factor authentication and implement access control lists to limit that remote access.

Additionally, network segmentation, strong passwords, and device monitoring are always good ideas, especially considering how nation-state gangs target routers with their attacks.

“Over the past six years, DrayTek vulnerabilities have been consistently exploited by threat actors, especially Chinese APTs,” said Elisa Costante, Forescout VP Research. The registryreferring to advanced persistent threats.

Last month, the FBI said Chinese government spies (PDF) had exploited three CVEs in DrayTek routers to build a botnet with 260,000 devices. And to that end, the US CISA has added two DrayTek flaws to its catalog of known exploited vulnerabilities.

In total, the security shop has “recorded 130 cases of DrayTek-related attacks between 2023 and 2024, including logins and exploits,” Costante said.

Exploit example

The bug hunters at Vedere Labs published a proof-of-concept exploit this week that links two of the newly found vulnerabilities, an OS command injection vulnerability (CVE-2024-41585) and a buffer overflow bug (CVE-2024-41592). allowing them to remotely gain root access to the host operating system on vulnerable equipment, at which point it’s game over.

CVE-2024-41592 was assigned a maximum severity of 10 out of 10. It exists in the GetCGI() function in the web UI, which is responsible for retrieving HTTP request data. This feature is vulnerable to a buffer overflow when processing the query string parameters, and can be exploited by an unauthenticated user to remotely execute code or cause a denial of service.

Meanwhile, CVE-2024-41585 is a similar critical flaw that affects the recvCmd binary in the firmware, which is used to communicate between the host operating system and a guest operating system. These routers split their operation between an underlying host operating system and a guest on top of it, usually DrayOS. The binary is vulnerable to command injection attacks because the guest operating system can exploit the hole to execute arbitrary commands on the host, and received a CVSS score of 9.1.

Thus, anyone who can reach the web interface of a vulnerable device can exploit CVE-2024-41592 to achieve code execution in the guest operating system running the web interface service, and then use CVE-2024-41585 to gain control of the underlying host operating system to take over. and thus the entire device – remote root host access.

The remaining 12 newly discovered bugs have medium and high severity scores.

In its report, which will be published this week, Vedere Labs explains how attackers can commit all kinds of criminal acts by taking advantage of these vulnerabilities.

This includes spying: by deploying a rootkit that survives reboots and firmware updates, and then using that access to spy on network traffic for credential collection and data exfiltration. Compromising the devices’ VPN and SSL/TLS functionality can enable man-in-the-middle attacks.

Or if criminals break into one of the buggy routers, they can move to other connected devices on the local network and then deploy ransomware, launch denial-of-service attacks, or build a botnet along the lines of Flax Typhoon.

“Additionally, some vulnerable devices, such as the 3910 and 3912 series, support high download/upload speeds (up to 10 Gigabit) and have a quad-core CPU, sufficient RAM and SSD storage,” Costante told us, and noted that these features make the devices “look more like small servers.”

“These more capable routers can easily be used as command-and-control servers to attack other victims and obscure the origins of an attack,” she warned.

DrayTek did not immediately respond The registry‘s questions. We’ll update this story if and when we hear from the networking equipment manufacturer. ®