Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks

  /     /     /  
Publicated : 23/11/2024   Category : security


Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks


SMBs should patch CVE-2022-32548 now to avoid a host of horrors, including complete network compromise, ransomware, state-sponsored attacks, and more.



A critical, pre-authenticated remote code execution (RCE) vulnerability has cropped up in the widely used line of DrayTek Vigor routers for smaller businesses. If its exploited, researchers warn that it could allow complete device takeover, along with access to the broader network.
The bug (tracked as CVE-2022-32548) carries the highest vulnerability-severity score on the CVSS scale: 10 out of 10. This is no surprise given that not only is it an RCE that doesnt require authentication, but attackers could exploit it to compromise a device without social engineering or user interaction, according to a
vulnerability disclosure
out today from Trellix.
DrayTek routers are often used by small and midsize (SMBs) to provide VPN access to employees — an increasing need given the mass migration of workers to work-from-home situations since the pandemic started. Theyre widely deployed, including in the US, and throughout Asia and Europe, especially in the UK.
The zero-click attack is possible if the devices management interface is configured to be Internet-facing, according to Trellix (a Shodan search showed that about 200,000 routers have interfaces open to the Internet). But even if its not, a one-click attack is also possible, which would require access to the LAN.
So far, there are no signs of exploitation, but since the bug is now disclosed, thats likely to change, so administrators should apply their device-specific firmware updates immediately.
DrayTek routers are firmly in the sights of cybercriminals, with the US Cybersecurity and Infrastructure Security Agency (CISA) going so far as to
issue a warning
to that effect last June. In fact, DrayTek RCE bugs are among the most popular used by Chinese state-sponsored attackers, the agency noted, who are using them to go after SMBs in a
trend thats been evident since 2020
.
Lumen also published an advisory in June on
ZuoRAT exploiting
a bug in the Vigor 3900, an end-of-life device with a large installed base among small-office/home-office (SOHO) users.
It may seem counter-intuitive for advanced persistent threats (APTs) to be going after small fish, but Trellix points out that in 2020, the
US Small Business Administration reported
 that there are 6 million small businesses with fewer than 500 employees in the country, compared with just 20,000 large businesses.
While we may forget about this massive attack surface, our adversaries have not, the Trellix researchers note. It is imperative to understand you are a target no matter the size or type of business. Data continues to demonstrate that not only is this space a target but often a more likely target. It is critical for SOHO and SMB users to understand their networks, stay update to date on all vendor patches and immediately report breaches to law enforcement.
Indeed, Barracuda Networks in March published a report that found that small businesses are
three times more likely to be targeted
by cybercriminals than their larger counterparts.
In the case of the new bug, an attack can lead to a host of game-changing outcomes for SMBs, according to the researchers — in some cases, company-ending outcomes.
These include the theft of sensitive data stored on the router, such as keys and administrative passwords that could be used to pivot further into the network to deliver ransomware or other malware. Espionage-minded attackers could also gain access to the internal resources located on the LAN that would normally require VPN access; launch man-in-the-middle (MitM) attacks to spy on DNS requests and other unencrypted traffic flowing from users through the router; and achieving packet capture of the data going through any port of the router. Other kinds of attacks include adding the device to a botnet for distributed denial-of-service (DDoS) or cryptomining purposes.
Even failed exploitation attempts can be problematic, according to Trellix, resulting in the device rebooting or a DoS condition that would lock out users from accessing company resources on the LAN.
The RCE bug specifically affects the Vigor 3910 and 28 other DrayTek models sharing the same codebase (a list is included in the Trellix advisory). The researchers note that it stems from a buffer overflow in the login page for the devices Web management interface (/cgi-bin/wlogin.cgi).
An attacker may supply a carefully crafted username and/or password as base64 encoded strings inside the fields aa and ab of the login page, according to the write-up. This would cause the buffer overflow to trigger due to a logic bug in the size verification of these encoded strings.
As shown in a
proof-of-concept (PoC) exploit video
, attackers can then take over of the DrayOS operating system that implements the router functionalities.
On devices that have an underlying Linux operating system (such as the Vigor 3910) it is then possible to pivot to the underlying operating system and establish a reliable foothold on the device and local network, the researchers explain. Devices that are running the DrayOS as a bare-metal operating system will be harder to compromise as it requires that an attacker has better understanding of the DrayOS internals.
For businesses using DrayTek routers, protection from attack starts with patching and making sure the firmware is always up to date.
Beyond that, Trellix researchers recommend that admins should never expose the management interface to the Internet unless absolutely required; and if it is, they should implement two-factor authentication (2FA) and IP restrictions to minimize risk.
Once the patch is applied admins should also verify that port mirroring, DNS settings, authorized VPN access, and any other relevant settings have not been tampered with in the management interface. And they should change the password of the devices and revoke any secret stored on the router that may have been accessed prior to patching.
For those companies that cant patch right away, Trellix researchers say that monitoring for compromise should be a priority.
Exploitation attempts can be detected by logging/alerting when a malformed base64 string is sent via a POST request to the /cgi-bin/wlogin.cgi end-point on the web management interface router, they note. Base64 encoded strings are expected to be found in the aa and ab fields of the POST request. Malformed base64 strings indicative of an attack would have an abnormally high number of %3D padding. Any number over three should be considered suspicious.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks