Fourteen bugs in DrayTek routers — including one critical remote-code-execution flaw that received a perfect 10 out of 10 CVSS severity rating — could be abused by crooks looking to seize control of the equipment to then steal sensitive data, deploy ransomware, and launch denial-of-service attacks.
It's estimated 785,000 of these devices are operating Wi-Fi networks.
Most of the vulnerabilities are in the routers' web-based user interface, so if a miscreant can reach that service on the local network or over the public internet, they can exploit the holes to take control of the box, and then launch other attacks on connected machines. One of the other bugs is in the command-line interface.
Despite Draytek's warning that these routers' control panels should only be accessible from a local network, Forescout Research's Vedere Labs found [PDF] more than 704,000 DrayTek boxes exposing their web interface to the public internet, ready and ripe for exploitation. Most of these (75 percent) are used by businesses, we're told.
Plus: 38 percent of the vulnerable devices remain susceptible to similar flaws that Trellix warned about two years ago.
The new vulnerabilities affect 24 models, some of which are end-of-life and end-of-sale. But because of the severity of the flaws, DrayTek has issued patches for all 14 CVEs across both supported and end-of-life routers. There are also some steps users should take to determine whether their device has already been compromised as well as general best practices to limit exploitation in future of similar bugs.
These include disabling remote access capabilities when they are not required, making it more difficult for someone afar to reach the web user interface. And if these capabilities are necessary, turn on two-factor authentication and implement access control lists to limit that remote access.
Additionally, network segmentation, strong passwords, and device monitoring are always good ideas, especially considering how nation-state gangs are targeting routers in their attacks.
Last month, the FBI warned that Chinese government spies had exploited three CVEs in DrayTek routers to build a 260,000-device botnet. And prior to that America's CISA added two DrayTek flaws to its catalog of known exploited vulnerabilities.
Crucially, the bug hunters at Vedere Labs published a proof-of-concept exploit that chains two of the new vulnerabilities, an OS command injection vulnerability (CVE-2024-41585) and a buffer overflow bug (CVE-2024-41592), that allowed them to gain remote, root access to the host OS on vulnerable equipment, at which point it's game over.
CVE-2024-41592 was rated a maximum 10 out of 10 in severity. It exists in the GetCGI() function in the web user interface, which is responsible for retrieving HTTP request data. This function is vulnerable to a buffer overflow when processing the query string parameters, and can be abused by an unauthenticated user to achieve remote code execution or cause a denial of service.
Meanwhile, CVE-2024-41585 is a similarly critical flaw that affects the recvCmd binary in the firmware, used to communicate between the host OS and a guest OS. It's vulnerable to command injection attacks, in that a guest OS can exploit the hole to run commands on the host, and received a 9.1 CVSS score.
Thus anyone who can reach the web interface of a vulnerable device can exploit CVE-2024-41592 to achieve code execution in the guest OS that runs the web service, and then use CVE-2024-41585 to take control of the underlying host OS and thus the whole device – remote, root host access.
The other new bugs have medium and high severity scores.
In the report, out this week, Vedere Labs explains how an attackers could pull off all sorts of criminal acts by exploiting these vulnerabilities.
- FBI boss says China 'burned down' 260,000-device botnet when confronted by Feds
- China's Salt Typhoon cyber spies are deep inside US ISPs
- 10 nasty software bugs put thousands of fuel storage tanks at risk of cyberattacks
- Despite Russia warnings, Western critical infrastructure remains unprepared
This includes espionage: By deploying a rootkit that survives reboots and firmware updates, and then using that access to spy on network traffic for credential harvesting and data exfiltration. Compromising the devices' VPN and SSL/TLS functionality could allow for man-in-the-middle attacks.
Or, upon breaking into one of the buggy routers, criminals could pivot to other connected devices on the local network and then deploy ransomware, launch denial of service attacks, or build a botnet along the lines of Flax Typhoon.
DrayTek did not immediately respond to The Register's inquiries. We will update this story if and when we hear back from the networking gear manufacturer. ®