DrayTek Router Vulnerabilities: A Call to Action for Enterprises and Households

In recent cybersecurity news, Forescout has uncovered 14 critical vulnerabilities in DrayTek routers, posing significant risks to both enterprise networks and private households. Among these, two vulnerabilities are rated as critical, with the potential to allow remote code execution (RCE) and denial-of-service (DoS) attacks. This discovery highlights the urgent need for users to patch their devices and take preventative measures to protect their networks.

Understanding the Threat

The most severe vulnerability, CVE-2024-41492, is a buffer overflow in the GetCGI() function of the router's web interface. This flaw can be exploited by unauthenticated attackers to execute arbitrary code or cause service disruptions. Another critical issue, CVE-2024-41585, involves command injection in the recvCmd binary, used for communication between the host and guest operating systems.

These vulnerabilities expose routers to potential hijacking, allowing attackers to gain full control over the devices. Once compromised, routers can serve as entry points for further attacks, including data theft, ransomware deployment, and the creation of botnets.

Below is the comprehensive list of discovered vulnerabilities:

• CVE-2024-41589 (CVSS: 7.5): Utilization of identical administrator credentials across the system (including both guest and main OS). Compromising these credentials could result in complete system takeover.
• CVE-2024-41591 (CVSS: 7.5): The web interface contains the page doc/hslogp1_link.htm, which accepts HTML code via the content parameter in the query string and displays it without filtering, leading to a cross-site scripting vulnerability.
• CVE-2024-41587 (CVSS: 4.9): The web interface allows customization of a welcome message for each user. Insufficient input validation permits the injection of arbitrary JavaScript code, creating a stored cross-site scripting vulnerability.
• CVE-2024-41583 (CVSS: 4.9): The web interface enables setting the router’s name, displayed on various pages. Due to inadequate input validation, it is possible to inject arbitrary JavaScript code.
• CVE-2024-41584 (CVSS: 4.9): The login page wlogin.cgi in the web interface accepts the sFormAuthStr parameter for CSRF protection. This parameter’s value is displayed on the corresponding web page without filtering, allowing limited JavaScript code injection.
• CVE-2024-41592 (CVSS: 10): The GetCGI() function of the web interface, which processes HTTP request data, has a buffer overflow vulnerability when handling query string parameters.
• CVE-2024-41585 (CVSS: 9.1): The binary file recvCmd, used for data exchange between the main and guest OS, is susceptible to operating system command injection attacks.
• CVE-2024-41588 (CVSS: 7.2): CGI pages /cgi-bin/v2x00.cgi and /cgi-bin/cgiwcg.cgi in the web interface are vulnerable to buffer overflows due to the absence of length checks on query string parameters when using the strncpy() function.
• CVE-2024-41590 (CVSS: 7.2): Multiple CGI pages in the web interface exhibit buffer overflow vulnerabilities owing to insufficient validation of data passed to the strcpy() function. Exploitation requires valid credentials.
• CVE-2024-41586 (CVSS: 7.2): The web interface page /cgi-bin/ipfedr.cgi is vulnerable to stack overflow when processing excessively long query strings.
• CVE-2024-41596 (CVSS: 7.2): Several buffer overflow vulnerabilities in the web interface arise from the lack of checks when processing CGI form parameters.
• CVE-2024-41593 (CVSS: 7.2): The ft_payloads_dns() function in the web interface contains a heap buffer overflow vulnerability due to an error in the length argument of the _memcpy() call, potentially leading to buffer overrun and memory corruption.
• CVE-2024-41595 (CVSS: 7.2): Multiple CGI pages in the web interface lack boundary checks during read and write operations related to various interface settings, which can cause denial-of-service conditions.
• CVE-2024-41594 (CVSS: 7.6): The web server backend for the web interface uses a static string to initialize the random number generator in OpenSSL for TLS, potentially leading to information leakage and man-in-the-middle (MitM) attacks.

‍

Widespread Exposure

Forescout's analysis revealed that approximately 704,000 DrayTek routers are exposed to the internet, making them easy targets for cybercriminals. These devices are widely used across various sectors, including healthcare, manufacturing, and government, with 75% intended for business use.

Alarmingly, less than 3% of these devices have been updated to the latest firmware, leaving the majority vulnerable to exploitation. The most common firmware version found dates back over six years, underscoring the urgency of updating these systems.

Exploitation

During testing I was successfully able to exploit a DrayTek router by chaining an OS command injection vulnerability with a buffer overflow to gain root level remote access to the router. At this point I was able to perform traffic manipulation and MiTM attackers on user traffic.

Mitigation Measures

To safeguard against these vulnerabilities, it is crucial for organizations and individuals to:

1. Apply Patches: Update all affected DrayTek devices to the latest firmware immediately.
2. Disable Remote Access: If not needed, disable remote access to the router's web interface to reduce the attack surface.
3. Implement Security Controls: Use Access Control Lists and two-factor authentication to secure device access.
4. Monitor for Anomalies: Regularly check for unusual activity through syslog logging and network monitoring tools.

Conclusion

The discovery of these vulnerabilities serves as a stark reminder of the importance of maintaining up-to-date security practices. By taking proactive measures, users can protect their networks from potential breaches and ensure the integrity of their systems. Stay informed and vigilant to keep your digital assets safe.

‍