Now-patched RCE bug impacts dozens of DrayTek Vigor router models

High-impact vulnerability in DrayTek routers leaves thousands of SMEs open to exploitation

UPDATED A critical security vulnerability impacting DrayTek Vigor routers could allow unauthenticated attackers to gain full access to victim networks.

The flaw affects the Taiwanese hardware manufacturer’s popular Vigor 3910 router, along with nearly 30 other models that share the same codebase.

200,000 exposed devices

The DrayTek router vulnerability was discovered by researchers from Trellix, who found that by triggering a buffer overflow in the web management interface, they could take over the underlying DrayOS.

Tracked as CVE-2022-32548, the vulnerability earned a maximum CVSS score of 10, as this attack requires no authentication to achieve remote code execution (RCE).

“During our research we uncovered over 200,000 devices which have the vulnerable service currently exposed on the internet and would require no user interaction to be exploited,” Trellix Threat Labs senior security researcher Philippe Laulheret writes in a technical blog post.

Laulheret and colleague Doug McKee, principal engineer and head of vulnerability research at Trellix, told The Daily Swig that they “noticed a slow uptick in the deployment of the latest firmware versions” in the days following disclosure, but “the majority of the devices we [could] discover online [were] still lagging one or more years behind in firmware updates”.

‘Complete compromise’

Exploiting this vulnerability can lead to a complete compromise of the device and can enable a malicious actor to access internal resources of the breached networks.

Failed exploitation attempts can lead to device reboot, denial of service, and other abnormal behavior.

Read more of the latest network security news

A security advisory released yesterday (August 4) includes the full list of impacted router models.

“Our standard best practice recommendation is to always keep firmware up to date, but we recommend that you check that affected units are running at least the firmware version [listed],” the vendor said.

McKee and Laulheret recommended “a complete firmware update”, but noted “a partial mitigation can be applied by not exposing the web management interface to the internet.  This drastically reduces the risk; however, it doesn’t protect from a one-click attack from the internal network”.

They added that “Trellix provides a 90-day window for vendors to review, and patch reported vulnerabilities,” but DrayTek “provided an updated patch for us to confirm the fix in less than 30 days”. Once the fix was validated, “DrayTek released the patched firmware in just a few days. It is impressive for a large company to respond and adequately patch in this timeframe”, the researchers said.

Patch window

As outlined in an accompanying CERT NZ advisory this week, there has been no evidence to indicate that this vulnerability has been exploited in the wild.

“However, we strongly recommend you investigate and patch any DrayTek devices on your network as soon as possible to prevent them from being compromised,” the advisory reads.

Greg Fitzgerald, co-founder of Sevco Security, said: “Identifying and patching the known routers is a must, but organizations will still be vulnerable if there are abandoned devices connected to the network that are affected.”

McKee and Laulheret said “Trellix always provides vendors with a very detailed technical analysis of the vulnerability, code for reproduction, and a suggested mitigation strategy”, before working “with the vendor at their comfort level to ensure the vulnerability is mitigated”.

The Trellix team will release more details about how the vulnerability was discovered and exploited in an upcoming presentation at Hexacon in France on October 14-15.

This article was updated on September 21 with additional comment provided by Trellix Threat Labs researchers on August 8.

RECOMMENDED Chromium site isolation bypass allows wide range of attacks on browser