700K+ DrayTek Routers Vulnerable to Remote Takeover

Recent research has identified 14 new vulnerabilities in DrayTek routers, ranging from critical to medium severity, which could be exploited by malicious actors to launch various attacks, including espionage, data exfiltration, ransomware, and denial of service. 

Given the widespread use of DrayTek routers in commercial settings, the potential impact of such attacks on business continuity and reputation is significant, which is imperative for organizations using DrayTek routers to apply the latest firmware updates to mitigate these risks and protect their networks from exploitation.

DrayTek routers have been increasingly targeted by threat actors due to their widespread use and vulnerability to remote code execution (RCE) attacks, where vulnerabilities, often stemming from unchecked user input in web interfaces, allow attackers to gain unauthorized access and control over devices. 

It poses a significant security risk to both residential and business users, highlighting the importance of analyzing and mitigating these vulnerabilities to protect against potential exploitation.

Potential attack scenarios

The vulnerabilities CVE-2020-10823 to CVE-2020-10828 and CVE-2020-8515 all stem from unchecked user input in various web interfaces and services, which can lead to stack-based buffer overflows or OS command injections. 

Specifically, the web interfaces “/cgi-bin/activate.cgi” and “/cgi-bin/malfunction.cgi” are vulnerable to user-controlled data overflowing buffers or executing arbitrary commands due to the lack of input validation. 

Additionally, the “apcmd” and “cvmd” services are susceptible to stack-based buffer overflows, potentially allowing attackers to gain unauthorized access or execute malicious code.

The ForeScout research team analyzed DrayTek devices running DrayOS and found several vulnerabilities in the firmware, including the use of the same admin credentials across the entire system, reflected and stored XSS vulnerabilities in the web user interface, and a lack of binary hardening mechanisms in the firmware. 

The Web UI of the system is vulnerable to multiple buffer overflow vulnerabilities, which can be exploited to achieve remote code execution or denial-of-service conditions, arising from missing length checks in query string parameters, unvalidated user data, and stack buffer overflows. 

The system is also susceptible to OS command injection attacks and heap-based buffer overflows, while the web server backend’s use of a static string to seed the PRNG in OpenSSL for TLS may allow attackers to perform man-in-the-middle attacks.

Intended use of exposed routers

The research revealed that over 704,000 DrayTek routers with exposed web interfaces were vulnerable to security breaches. 

Despite vendor recommendations, a significant portion of these devices were accessible from the internet, with many running outdated firmware versions, as the study identified 686 unique firmware versions and flavors, with the most popular release dating back to 2018. 

Additionally, 27 router models were found online, including 13 that were end-of-sales or end-of-life. The majority of exposed routers were intended for business use, and 24 device models were affected by the new vulnerabilities.

The vulnerabilities in DrayTek routers allow attackers to gain complete control over these critical perimeter devices, which could lead to various malicious activities, such as data exfiltration, credential theft, man-in-the-middle attacks, and lateral movement within the network. 

Attackers could also use these compromised routers as command-and-control centers for further attacks, like DDoS attacks or ransomware. The high-performance capabilities of some DrayTek models exacerbate the potential damage, as they can be used to launch more sophisticated and large-scale attacks.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here