Black Arrow Cyber Advisory 04/08/2022 – DrayTek provides patches for a critical vulnerability in their Vigor Routers
Executive Summary
Trellix Threat Labs Vulnerability research team discovered an unauthenticated remote code execution vulnerability which affects multiple DrayTek routers, which have their management interface configured to be accessible directly via the internet. This attack can also be performed by a malicious actor who has access within the local network, which is the default configuration for these devices.
What’s the risk to me or my business?
This is a one-click attack that can be performed without any user interaction, and can lead to the full compromise of the device. As these devices are on the network perimeter, compromise of these devices can lead to further breaches of other networked systems and data.
What can I do?
The vendor has released patches for this issue on their website, which should be applied out of band due to the severity of this issue. To mitigate this issue externally, management interfaces should never be configured to be directly accessible via the internet interface, however even with this mitigation it is important that the patch is applied promptly due to the threat of further compromise from an attacker with local network access.
Technical Summary
The following is a breakdown of the vulnerability with the affected DrayTek products.
CVE-2022-32548: This vulnerability has been given a CVSS 3.0 rating of 10.0, the attack works by compromising a buffer overflow vulnerability within the login page, which allows an attacker to provide a carefully crafted username and/or password which could allow an attacker to take control of the “DrayOS” which runs on the routers. Affected models with affected firmware versions include:
Vigor3910 < 4.3.1.1
Vigor1000B < 4.3.1.1
Vigor2962 Series < 4.3.1.1
Vigor2927 Series < 4.4.0
Vigor2927 LTE Series < 4.4.0
Vigor2915 Series < 4.3.3.2
Vigor2952 / 2952P < 3.9.7.2
Vigor3220 Series < 3.9.7.2
Vigor2926 Series < 3.9.8.1
Vigor2926 LTE Series < 3.9.8.1
Vigor2862 Series < 3.9.8.1
Vigor2862 LTE Series < 3.9.8.1
Vigor2620 LTE Series < 3.9.8.1
VigorLTE 200n < 3.9.8.1
Vigor2133 Series < 3.9.6.4
Vigor2762 Series < 3.9.6.4
Vigor167 < 5.1.1
Vigor130 < 3.8.5
VigorNIC 132 < 3.8.5
Vigor165 < 4.2.4
Vigor166 < 4.2.4
Vigor2135 Series < 4.4.2
Vigor2765 Series < 4.4.2
Vigor2766 Series < 4.4.2
Vigor2832 < 3.9.6
Vigor2865 Series < 4.4.0
Vigor2865 LTE Series < 4.4.0
Vigor2866 Series < 4.4.0
Vigor2866 LTE Series < 4.4.0
Further technical information on the vulnerability can be found here: Unauthenticated Remote Code Execution in a Wide Range of DrayTek Vigor Routers (trellix.com)
Patches are available from the vendors website here: Latest Firmwares | DrayTek
Need help understanding your gaps, or just want some advice? Get in touch with us.