Skip to main content

A total of 14 vulnerabilities affecting DrayTek Vigor routers were disclosed yesterday in a report by Forescout. The vulnerabilities were scored as follows: 2 critical severity, 9 high severity, and 3 medium severity. Most of these vulnerabilities are found in DrayTek VigorConnect, the web control interface for Vigor routers.

Let’s examine the most severe vulnerability, CVE-2024-41592, which has been assigned the maximum CVSS score of 10.0. It’s a buffer overflow in the GetCGI() function of the VigorConnect Web UI that can be triggered by sending a specially crafted, excessively long query string to any of the CGI pages.

When exploited individually, CVE-2024-41592 allows a threat actor to potentially cause a Denial of Service. However, if chained with CVE-2024-41585—the second-most severe vulnerability, which is an OS command injection flaw—it is possible to gain remote root access to the host operating system. This exploit chain only affects Vigor router models 3910 and 3912.

If a router is compromised, a threat actor could leverage it to perform network reconnaissance and lateral movement to other devices within the network, deploy malware, or launch botnet activity.

Field Details
CVE-ID CVE-2024-41592 – CVSS 10.0 (Critical)
Vulnerability Description Buffer Overflow in the “GetCGI()” function of the VigorConnect Web UI could lead to DoS or RCE
Date of Disclosure October 2, 2024
Affected Assets DrayTek VigorConnect, the web-based control interface for Vigor Routers
Vulnerable Firmware Versions  Vigor1000B, Vigor2962, Vigor3910, Vigor3912, Vigor165, Vigor166, Vigor2135, Vigor2763, Vigor2765, Vigor2766, Vigor2865, Vigor2866, Vigor2915, Vigor2620, VigorLTE200, Vigor2133, Vigor2762, Vigor2832, Vigor2860, Vigor2925, Vigor2862, Vigor2926, Vigor2952, Vigor3220
PoC Available? Yes
Exploitation Status Currently no known exploitation of these newly disclosed CVEs, but note 4 older CVEs affecting various DrayTek routers are in CISA KEV.
Patch Status Patches are available for all affected devices, including EOL firmware versions (see table near the end for a full list of patches)

DrayTek is a Taiwan-based network equipment manufacturer. Their Vigor routers are used by small to medium sized businesses and consumers worldwide.

Vigor routers have been targeted by exploitation in the past. Just last month, the FBI reported on Chinese-sponsored botnet activity that leveraged 3 older CVEs in DrayTek routers. Last year, the Chinese state-sponsored actor Volt Typhoon was observed exploiting exposed SOHO networking equipment to carry out attacks, including DrayTek devices. 

Example VigorConnect Admin Interface Exposed on the Web

Networking admin interfaces are commonly targeted as initial access points by threat actors. When exposed on the public internet, these interfaces are easily discoverable and often exploited due to the wealth of information they provide. Compromising an admin interface can grant unauthorized access to larger networks, making them valuable for network reconnaissance and further attacks. CISA has issued directives in the past, such as Binding Operational DIrective 23-02, requiring Federal agencies to secure these networked admin interfaces from the public internet.

These administrative interfaces shouldn’t be directly accessible online outside of local networks, and should instead be protected using access controls such as firewalls or VPNs.

Let’s explore the digital footprint of exposed DrayTek Vigor routers.

Censys Perspective

As of this writing, Censys has identified 751,801 exposed DrayTek Vigor routers online. These devices are predominantly located in the United Kingdom, followed by Vietnam, the Netherlands, and Taiwan from our perspective, which aligns with findings from the original report.

Out of these, 421,476 devices are exposing the VigorConnect admin UI on the web.

Map of all publicly exposed VigorConnect Router admin interfaces on the web (created with kepler.gl)

The networks with the largest concentrations of these admin interfaces are a mix of large national ISPs and regional telecom providers. Leading the list is Taiwan-based HINET, which makes sense given that DrayTek is a Taiwanese company.

ASN AS_Name Organization Country Scale Host Count
3462 HINET Data Communication Business Group HINET Taiwan Major ISP 41,969
31655 ASN-GAMMATELECOM Gamma Telecom U.K. Significant Telecom Provider 35,866
2856 BT-UK-AS BTnet UK Regional network British Telecommunications U.K. Major ISP 31,959
45899 VNPT-AS-VN VNPT Corp Vietnam Posts and Telecommunications Group Vietnam Major ISP 31,561
5413 AS5413 Daisy Communications U.K. Significant Telecom Provider 21,275
13037 ZEN-AS Zen Internet – UK Zen Internet U.K. Medium-sized ISP 13,147
18403 FPT-AS-AP FPT Telecom Company FPT Telecom Vietnam Major ISP 12,132
7552 VIETEL-AS-AP Viettel Group Viettel Group Vietnam Major ISP 11,756
1136 KPN KPN National KPN Netherlands Major ISP 9,921
3320 DTAG Internet service provider operations Deutsche Telekom AG Germany Major ISP 7,732

It’s important to note that not all observed routers are necessarily vulnerable, as specific device versions were not available. To identify exposed VigorConnect admin page instances in your networks, you can use the following Censys queries:

Censys Search Query: 

services: (http.response.status_code=200 and http.request.uri:"/weblogin.htm" and (http.response.html_title:"Vigor" or http.response.favicons.md5_hash="208b1c5af9e2cc7d46e3ec5bf4d12001"))

Censys ASM Query:  Link]

host.services: (http.response.status_code=200 and http.request.uri:"/weblogin.htm" and (http.response.html_title:"Vigor" or http.response.favicons.md5_hash="208b1c5af9e2cc7d46e3ec5bf4d12001")) or web_entity.instances: (http.response.status_code=200 and http.request.uri:"/weblogin.htm" and (http.response.html_title:"Vigor" or http.response.favicons.md5_hash="208b1c5af9e2cc7d46e3ec5bf4d12001")) 

Censys Risk Query: bLink]

risks.name="Exposed DrayTek Vigor Router"

What Can be Done?

It’s recommended to patch your DrayTek firmware according to your device model, either through the web interface or using the Firmware Upgrade utility. It’s good practice to back up your config before patching.

It’s also wise to restrict your VigorConnect admin web UIs from public remote access and enable two-factor authentication to further lower the risk of unauthorized access.

Device Model Fixed Versions EoL?
Vigor1000B, Vigor2962, Vigor3910 4.3.2.8 and 4.4.3.1 No
Vigor3912 4.3.6.1 No
Vigor165, Vigor166 4.2.7 No
Vigor2135, Vigor2763, Vigor2765, Vigor2766 4.4.5.1 No
Vigor2865, Vigor2866, Vigor2915 4.4.5.3 No
Vigor2620, VigorLTE200 3.9.8.9 Yes
Vigor2133, Vigor2762, Vigor2832 3.9.9 Yes
Vigor2860, Vigor2925 3.9.8 Yes
Vigor2862, Vigor2926 3.9.9.5 Yes
Vigor2952, Vigor3220 3.9.8.2 Yes

Source: Forescout (p.11)

References

Be the first to reply!

Reply