DrayTek patched 14 vulnerabilities affecting 24 of its router models, including a maximum severity buffer overflow flaw that could lead to remote code execution (RCE) or denial-of-service (DoS).
The two critical-, nine high- and three medium-severity DrayTek bugs were discovered by Forescout Research’s Vedere Labs and described in a report titled “DRAY:BREAK” published Thursday.
Shodan searches conducted by the researchers also revealed approximately 704,525 DrayTek devices exposed to the internet, despite vendor recommendations that the DrayTek web user interface only be accessible to those within one’s local network. About 38% of these exposed devices, or more than 267,000 routers, are susceptible to similar years-old vulnerabilities, the report revealed.
DrayTek routers are in widespread use throughout various industries, including healthcare, manufacturing and government, and about 75% of the internet-exposed devices discovered are intended for business use, according to Forescout.
Furthermore, less than 3% of the exposed devices were updated to the latest DrayTek firmware version, and the most popular version found, 3.8.9.2, was released more than six years.
“To safeguard against these vulnerabilities, organizations must immediately patch affected DrayTek devices with the latest firmware. Disabling unnecessary remote access, implementing Access Control Lists and two-factor authentication, and monitoring for anomalies through syslog logging are all crucial steps,” Daniel dos Santos, head of security research at Forescout Research – Vedere Labs, said in a statement.
Multiple DrayTek flaws risk RCE, DoS, XSS
The most severe DrayTek bug discovered, tracked as CVE-2024-41492, is a buffer overflow vulnerability in the “GetCGI()” function of the DrayTek Vigor web UI. This flaw causes errors when processing query string parameters, which could allow for RCE or DoS by an unauthenticated attacker.
Another critical flaw, tracked as CVE-2024-41585, involves the “recvCmd” binary, which is used by the host operating system to communicate with the guest OS and vice versa. This binary is susceptible to OS command injection, which can also lead to virtual machine escape, the DRAY:BREAK report states.
Among the 14 vulnerabilities disclosed are nine high-severity bugs with CVSS scores ranging from 7.2 to 7.6, several of which can lead to DoS and RCE. One of the flaws, tracked as CVE-2024-41589, lies in the fact that the same admin credentials are used across the entire system, including both the host and guest OS, which could lead to full system compromise if these credentials are compromised.
Additionally, three medium-severity bugs with CVSS scores of 4.9 could enable cross-site scripting (XSS) due to insufficient input sanitization enabling the injection of arbitrary JavaScript code under certain conditions.
DrayTek has released fixed firmware versions for the affected devices, although 11 of the affected devices have already reached end-of-life (EoL) and thus only received fixes for the most severe flaw, CVE-2024-41502. The DAY:BREAK report provides a full list of affected models and fixed versions; DrayTek did not appear to have a security advisory for these flaws published on its website as of Thursday afternoon.
EoL routers, old vulnerabilities often targeted by threat actors
Outdated, vulnerable routers pose an ongoing and serious threat to homes and businesses; Forescout says nearly two-thirds – 63% – of the internet-exposed DrayTek devices it found in its search were either end-of-sale or EoL. Businesses are encouraged to identify and replace any EoL devices to avoid exploitation of any unmitigated vulnerabilities.
While there is no indication the 14 newest vulnerabilities discovered by Forescout have been exploited in the wild, attackers are actively targeting DrayTek flaws as shown by the addition of three DrayTek vulnerabilities to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog last month, including a critical four-year-old vulnerability added earlier this week.
The Forescout report also points out that several similar vulnerabilities, often affecting the same functions, have come up in various DrayTek devices and firmware versions over the past few years, suggesting a lack of variant analysis and post-mortem analyses after such vulnerabilities are reported and patched.
“Someone finding 14 new vulnerabilities at the same time likely tells you that extensive vulnerability testing was not done by the vendor. The larger reality is that this same finding is likely true about the majority of internet-connected devices and this is just the one we are learning about today,” Roger Grimes, data-driven defense evangelist at KnowBe4, said in an email to SC Media.