700K+ DrayTek routers are sitting ducks on the internet, open to remote hijacking

Fourteen newly found bugs in DrayTek Vigor routers — including one critical remote-code-execution flaw that received a perfect 10 out of 10 CVSS severity rating — could be abused by crooks looking to seize control of the equipment to then steal sensitive data, deploy ransomware, and launch denial-of-service attacks.

It’s estimated 785,000 of these devices are operating Wi-Fi networks.

Most of the vulnerabilities are in the routers’ web-based user interface, so if a miscreant can reach that service on the local network or over the public internet, they can exploit the holes to take control of the box, and then launch other attacks on connected machines.

Despite Draytek’s warning that these Vigor routers’ control panels should only be accessible from a local network, Forescout Research’s Vedere Labs found [PDF] more than 704,000 DrayTek boxes exposing their web interface to the public internet, ready and ripe for exploitation. Most of these (75 percent) are used by businesses, we’re told.

Plus: 38 percent of the vulnerable devices remain susceptible to similar flaws that Trellix warned about two years ago.

DrayTek vulnerabilities have been consistently exploited by threat actors, especially by Chinese APTs

The 14 freshly found vulnerabilities affect 24 models, some of which are end-of-life and end-of-sale. But because of the severity of the flaws, Taiwan-based DrayTek has issued patches for all 14 CVEs across both supported and end-of-life routers.

There are also some steps users should take to determine whether their device has already been compromised as well as general best practices to limit exploitation in future of similar bugs.

These include disabling remote access capabilities when they are not required, making it more difficult for someone afar to reach the web user interface. And if these capabilities are necessary, turn on two-factor authentication and implement access control lists to limit that remote access. 

Additionally, network segmentation, strong passwords, and device monitoring are always good ideas, especially considering how nation-state gangs are targeting routers in their attacks.

“Over the past six years, DrayTek vulnerabilities have been consistently exploited by threat actors, especially by Chinese APTs,” Elisa Costante, Forescout VP of research told The Register, referring to advanced persistent threats.

Just last month, the FBI said Chinese government spies [PDF] had exploited three CVEs in DrayTek routers to build a 260,000-device botnet. And prior to that America’s CISA added two DrayTek flaws to its catalog of known exploited vulnerabilities.

In total, the security shop “recorded 130 instances of DrayTek-related attacks, including logins and exploits, between 2023 and 2024,” Costante added.

Exploit example

The bug hunters at Vedere Labs this week published a proof-of-concept exploit that chains two of the newly found vulnerabilities, an OS command injection vulnerability (CVE-2024-41585) and a buffer overflow bug (CVE-2024-41592), that allowed them to gain remote, root access to the host OS on vulnerable equipment, at which point it’s game over.

CVE-2024-41592 was rated a maximum 10 out of 10 in severity. It exists in the GetCGI() function in the web user interface, which is responsible for retrieving HTTP request data. This function is vulnerable to a buffer overflow when processing the query string parameters, and can be abused by an unauthenticated user to achieve remote code execution or cause a denial of service.

Meanwhile, CVE-2024-41585 is a similarly critical flaw that affects the recvCmd binary in the firmware, used to communicate between the host OS and a guest OS. These routers split their operation between an underlying host operating system, and a guest on top that’s usually DrayOS. The binary is vulnerable to command injection attacks, in that the guest OS can exploit the hole to run arbitrary commands on the host, and received a 9.1 CVSS score.

Thus anyone who can reach the web interface of a vulnerable device can exploit CVE-2024-41592 to achieve code execution in the guest OS that runs the web interface service, and then use CVE-2024-41585 to take control of the underlying host OS and thus the whole device – remote, root host access.

The other 12 newly discovered bugs have medium and high severity scores. 

In its report, out this week, Vedere Labs explains how an attackers could pull off all sorts of criminal acts by exploiting these vulnerabilities. 

This includes espionage: By deploying a rootkit that survives reboots and firmware updates, and then using that access to spy on network traffic for credential harvesting and data exfiltration. Compromising the devices’ VPN and SSL/TLS functionality could allow for man-in-the-middle attacks.

Or, upon breaking into one of the buggy routers, criminals could pivot to other connected devices on the local network and then deploy ransomware, launch denial of service attacks, or build a botnet along the lines of Flax Typhoon.

“Additionally, some vulnerable devices, such as the 3910 and 3912 series, support high download/upload speeds (up to 10 Gigabit), and feature a quad-core CPU, ample RAM and SSD storage,” Costante told us, noting that with these features the devices “more closely resemble small servers.”

“These more capable routers could easily be used as command-and-control servers to attack other victims and obfuscate the origin of an attack,” she warned.

DrayTek did not immediately respond to The Register‘s inquiries. We will update this story if and when we hear back from the networking gear manufacturer. ®

READ MORE HERE