Fourteen bugs in DrayTek routers — including one critical remote-code-execution flaw that received a perfect 10 out of 10 CVSS severity rating — could be abused by crooks looking to seize control of the equipment to then steal sensitive data, deploy ransomware, and launch denial-of-service attacks.
It’s estimated 785,000 of these devices are operating Wi-Fi networks.
Most of the vulnerabilities are in the routers’ web-based user interface, so if a miscreant can reach that service on the local network or over the public internet, they can exploit the holes to take control of the box, and then launch other attacks on connected machines. One of the other bugs is in the command-line interface.
Despite Draytek’s warning that these routers’ control panels should only be accessible from a local network, Forescout Research’s Vedere Labs found [PDF] more than 704,000 DrayTek boxes exposing their web interface to the public internet, ready and ripe for exploitation. Most of these (75 percent) are used by businesses, we’re told.
Plus: 38 percent of the vulnerable devices remain susceptible to similar flaws that Trellix warned about two years ago.
The new vulnerabilities affect 24 models, some of which are end-of-life and end-of-sale. But because of the severity of the flaws, DrayTek has issued patches for all 14 CVEs across both supported and end-of-life routers. There are also some steps users should take to determine whether their device has already been compromised as well as general best practices to limit exploitation in future of similar bugs.
These include disabling remote access capabilities when they are not required, making it more difficult for someone afar to reach the web user interface. And if these capabilities are necessary, turn on two-factor authentication and implement access control lists to limit that remote access.
Additionally, network segmentation, strong passwords, and device monitoring are always good ideas, especially considering how nation-state gangs are targeting routers in their attacks.
Last month, the FBI warned that Chinese government spies had exploited three CVEs in DrayTek routers to build a 260,000-device botnet. And prior to that America’s CISA added two DrayTek flaws to its catalog of known exploited vulnerabilities.
And if you’re still not convinced, the bug hunters also published a proof-of-concept exploit that chains two of the new vulnerabilities, an OS command injection vulnerability (CVE-2024-41585) and a buffer overflow bug (CVE-2024-41592), that allowed them to gain remote, root access to the host OS on the equipment, at which point it’s game over.
Of the new vulnerabilities that Vedere Labs spotted and disclosed, CVE-2024-41592 received a maximum 10 out of 10 severity. It exists in the GetCGI() function in the web user interface, which is responsible for retrieving HTTP request data. This function is vulnerable to a buffer overflow when processing the query string parameters, and can be abused to achieve remote code execution or cause a denial of service.
Another critical-rated flaw, CVE-2024-41585 affects the recvCmd binary in the firmware, used to communicate between the host OS and a guest OS. It’s vulnerable to command injection attacks, and received a 9.1 CVSS score.
The other new bugs have medium and high severity scores.
In the report, out this week, Vedere Labs explains how an attackers could pull off all sorts of criminal acts by exploiting these vulnerabilities.
This includes espionage: By deploying a rootkit that survives reboots and firmware updates, and then using that access to spy on network traffic for credential harvesting and data exfiltration. Compromising the devices’ VPN and SSL/TLS functionality could allow for man-in-the-middle attacks.
Or, upon breaking into one of the buggy routers, criminals could pivot to other connected devices on the local network and then deploy ransomware, launch denial of service attacks, or build a botnet along the lines of Flax Typhoon.
DrayTek did not immediately respond to The Register‘s inquiries. We will update this story if and when we hear back from the networking gear manufacturer. ®