High-impact vulnerability in DrayTek routers leaves thousands of SMEs open to exploitation

James Walker 05 August 2022 at 14:15 UTC

Now-patched RCE bug impacts dozens of DrayTek Vigor router models

A critical security vulnerability impacting DrayTek Vigor routers could allow unauthenticated attackers to gain full access to victim networks.

The flaw affects the Taiwanese hardware manufacturer’s popular Vigor 3910 router, along with nearly 30 other models that share the same codebase.

200,000 exposed devices

The DrayTek router vulnerability was discovered by researchers from Trellix, who found that by triggering a buffer overflow in the web management interface, they could take over the underlying DrayOS.

Tracked as CVE-2022-32548, the vulnerability earned a maximum CVSS score of 10, as this attack requires no authentication to achieve remote code execution (RCE).

“During our research we uncovered over 200,000 devices which have the vulnerable service currently exposed on the internet and would require no user interaction to be exploited,” Trellix security researcher Philippe Laulheret writes in a technical blog post.

‘Complete compromise’

Exploiting this vulnerability can lead to a complete compromise of the device and can enable a malicious actor to access internal resources of the breached networks.

Failed exploitation attempts can lead to device reboot, denial of service, and other abnormal behavior.

Read more of the latest network security news

A security advisory released yesterday (August 4) includes the full list of impacted router models.

“Our standard best practice recommendation is to always keep firmware up to date, but we recommend that you check that affected units are running at least the firmware version [listed],” the vendor said.

Patch window

As outlined in an accompanying CERT NZ advisory this week, there has been no evidence to indicate that this vulnerability has been exploited in the wild.

“However, we strongly recommend you investigate and patch any DrayTek devices on your network as soon as possible to prevent them from being compromised,” the advisory reads.

Greg Fitzgerald, co-founder of Sevco Security, said: “Identifying and patching the known routers is a must, but organizations will still be vulnerable if there are abandoned devices connected to the network that are affected.”

The Daily Swig has asked the researchers if they have seen a reduction in the number of exposed devices since the fixes were pushed out. This article will be updated when fresh information comes to hand.

The Trellix team will release more details about how the vulnerability was discovered and exploited in an upcoming presentation at Hexacon in France on October 14-15.

RECOMMENDED Chromium site isolation bypass allows wide range of attacks on browser