Trellix Finds Unauthenticated Remote Code Execution In DrayTek Routers

The Trellix Threat Labs Vulnerability Research team has released research detailing an unauthenticated remote code execution vulnerability, filed under CVE-2022-32548, affecting multiple routers from DrayTek, a Taiwanese company that manufactures Small Office and Home Office (SOHO) routers.

The attack can be performed without user interaction if the device’s management interface has been configured to be internet-facing. A one-click attack can also be performed within the LAN in the default device configuration. The attack can lead to a full compromise of the device and a network breach and unauthorised access to internal resources. All the affected models have patched firmware available for download on the vendor’s website.

“With many businesses implementing work from home policies over the last two years, these affordable devices offer an easy way for Small and Medium Sized Businesses (SMBs) to provide VPN access to their employees. For this reason, we decided to look into the security of one of their flagship products, the Vigor 3910. We uncovered over 200k devices which have the vulnerable service currently exposed on the internet and would require no user interaction to be exploited,” said Philippe Laulheret, Senior Security Researcher at Trellix.

The compromise of a network appliance such as the Vigor 3910 can lead to a host of undesirable outcomes including leak of sensitive data stored on the router; access to the internal resources located on the LAN that would normally require VPN-access or be present “on the same network”; man-in-the-middle of the network traffic; spying on DNS requests and other unencrypted traffic directed to the internet from the LAN through the router; packet capture of the data going through any port of the router or Botnet activity. Furthermore, failed exploitation attempts can lead to reboot of the device, denial of service of affected devices and other possible abnormal behavior.

For those organisations that use DrayTek routers, Trellix recommends:

  • Make sure the latest firmware is deployed to the device.
  • In the device’s management interface, verify that port mirroring, DNS settings, authorised VPN access and any other relevant settings have not been tampered with.
  • Do not expose the management interface to the Internet unless required. If you do, make sure you enable 2FA and IP restrictions to minimise the risk of an attack.
  • Change the password of affected devices and revoke any secret stored on the router that may have been leaked.

“Edge devices like the Vigor 3910 router live on the boundary between internal and external networks. They are a prime target for cybercriminals and threat actors alike. Remotely breaching edge devices can lead to a full compromise of the businesses’ internal network. This is why it is critical to ensure these devices remain secure and updated and that vendors producing edge devices have processes in place for quick and efficient response following vulnerability disclosure, just as DrayTek did,” added Laulheret. “We applaud the great responsiveness and the release of a patch less than 30 days after we disclosed the vulnerability to their security team. This type of responsiveness and relationship shows true organisation maturity and drive to improve security across the entire industry.”