Cyber Defense Advisors

Alert: Over 700,000 DrayTek Routers Exposed to Hacking via 14 New Vulnerabilities

A little over a dozen new security vulnerabilities have been discovered in residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices.

“These vulnerabilities could enable attackers to take control of a router by injecting malicious code, allowing them to persist on the device and use it as a gateway into enterprise networks,” Forescout Vedere Labs said in a technical report shared with The Hacker News.

Of the 14 security flaws, two are rated critical, nine are rated high, and three are rated medium in severity. The most critical of the shortcomings is a flaw that has been awarded the maximum CVSS score of 10.0.

It concerns a buffer overflow bug in the “GetCGI()” function in the Web user interface that could lead to a denial-of-service (DoS) or remote code execution (RCE) when processing the query string parameters.

Another critical vulnerability relates to a case of operating system (OS) command injection in the “recvCmd” binary used for communications between the host and guest OS.

The remaining 12 flaws are listed below –

Use of the same admin credentials across the entire system, resulting in full system compromise (CVSS score: 7.5)
A reflected cross-site scripting (XSS) vulnerability in the Web UI (CVSS score: 7.5)
A stored XSS vulnerability in the Web UI when configuring a custom greeting message after logging in (CVSS score: 4.9)
A stored XSS vulnerability in the Web UI when configuring a custom router name to be displayed to users (CVSS score: 4.9)
A reflected XSS vulnerability in the Web UI’s login page (CVSS score: 4.9)
Buffer overflow vulnerabilities in the Web UI’s CGI pages “/cgi-bin/v2x00.cgi” and “/cgi-bin/cgiwcg.cgi” leading to DoS or RCE (CVSS score: 7.2)
Buffer overflow vulnerabilities in the Web UI’s CGI pages leading to DoS or RCE (CVSS score: 7.2)
A stack buffer overflow vulnerability in the Web UI’s “/cgi-bin/ipfedr.cgi” page leading to DoS or RCE (CVSS score: 7.2)
Multiple buffer overflow vulnerabilities in the Web UI leading to DoS or RCE (CVSS score: 7.2)
A heap-based buffer overflow vulnerability in the Web UI’s ft_payloads_dns() function leading to DoS (CVSS score: 7.2)
An out-of-bounds write vulnerability in the Web UI leading to DoS or RCE (CVSS score: 7.2)
An information disclosure vulnerability in the web server backend for the Web UI that could allow an threat actor to perform an adversary-in-the-middle (AitM) attack (CVSS score: 7.6)

Forescout’s analysis found that over 704,000 DrayTek routers have their Web UI exposed to the internet, making it an attack-rich surface for malicious actors. A majority of the exposed instances are located in the U.S., followed by Vietnam, the Netherlands, Taiwan, and Australia.

Following responsible disclosure, patches for all the identified flaws have been released by DrayTek, with the max-rated vulnerability also addressed in 11 end-of-life (EoL) models.

“Complete protection against the new vulnerabilities requires patching devices running the affected software,” Forescout said. “If remote access is enabled on your router, disable it if not needed. Use an access control list (ACL) and two-factor authentication (2FA) if possible.”

The development comes as cybersecurity agencies from Australia, Canada, Germany, Japan, the Netherlands, New Zealand, South Korea, the U.K., and the U.S. issued joint guidance for critical infrastructure organizations to help maintain a safe, secure operational technology (OT) environment.

The document, titled “Principles of operational technology cybersecurity,” outlines six foundational rules –

Safety is paramount
Knowledge of the business is crucial
OT data is extremely valuable and needs to be protected
Segment and segregate OT from all other networks
The supply chain must be secure
People are essential for OT cyber security

“Quickly filtering decisions to identify those that impact the security of OT will enhance the making of robust, informed, and comprehensive decisions that promote safety, security and business continuity when designing, implementing, and managing OT environments,” the agencies said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.