DrayTek Routers at Risk From 14 New Vulnerabilities

Probably tens of 1000’s of DrayTek routers, together with fashions that many companies and authorities companies use, are at heightened danger of assault through 14 newly found firmware vulnerabilities.

A number of of the issues allow denial-of-service and distant code execution (RCE) assaults, whereas others enable menace actors to inject and execute malicious code into webpages and the browsers of customers who go to compromised web sites.

A Large Vary of Flaws

Two of the brand new flaws are important, which means they want speedy consideration: CVE-2024-41592, a maximum-severity RCE bug within the Internet UI element of DrayTek routers, and CVE-2024-41585, an OS command execution/VM escape vulnerability with a CVSS severity rating of 9.1. 9 of the vulnerabilities are medium-severity threats, and three are comparatively low-severity flaws. The vulnerabilities are current in 24 DrayTek router fashions.

Researchers at Forescout’s Vedere Labs found the vulnerabilities throughout an investigation of DrayTek routers, prompted by what the safety vendor described as indicators of constant assault exercise concentrating on the routers and a rash of current vulnerabilities within the expertise.

They discovered over 704,000 Web-exposed DrayTek routers — largely in Europe and Asia — lots of which possible include the newly found vulnerabilities.

“Since 75% of those routers are utilized in industrial settings, the implications for enterprise continuity and repute are extreme,” Forescout researchers warned in a report that summarized the findings from their investigation, which they dubbed Dray:Break. “A profitable assault might result in important downtime, lack of buyer belief, and regulatory penalties, all of which fall squarely on a CISO’s shoulders.”

Patching Might Not Be Sufficient

DrayTek has issued patches for all of the vulnerabilities through totally different firmware updates. Nonetheless, organizations shouldn’t cease with simply making use of the patches, says Daniel dos Santos, the pinnacle of safety analysis at Forescout Vedere Labs. To decrease danger from related vulnerabilities in DrayTek routers sooner or later, safety groups also needs to proactively implement longer-term mitigation measures, he provides. “Our report exhibits there is a lengthy historical past of important vulnerabilities affecting these routers, and plenty of have been weaponized by botnets and different malware,” he says. “Taking a proactive safety strategy ensures that even when new vulnerabilities are discovered, the danger to a corporation will likely be low.”

Santos says that attackers will possible discover it comparatively straightforward to search out DrayTek routers that include the brand new vulnerabilities utilizing search engines like google comparable to Shodan or Censys. However “exploitation is tougher as a result of we didn’t present an in depth working proof-of-concept, solely the general description of the vulnerabilities,” he says. “If one other researcher or an attacker builds and publishes a working exploit, then mass exploitation might occur — like the way it has occurred for different DrayTek CVEs up to now,” Santos says.

The mitigations that DrayTek and Forescout have advisable embody disabling distant entry if not wanted, verifying that no unauthorized distant entry profiles have been added, enabling system logging, and utilizing solely safe protocols comparable to HTTPS. Forescout additionally recommends that DrayTek prospects guarantee correct community visibility, change default configurations, substitute end-of-life units, and phase their networks.

A Standard Assault Goal

The recommendation comes amid indicators of rising menace actor exercise — together with by nation-state actors — concentrating on vulnerabilities in routers and different community units from DrayTek and a wide range of different distributors, together with Fortinet, F5, QNAP, Ivanti, Juniper, and Zyxel.

In a September advisory, the FBI, the US Nationwide Safety Company, and Cyber Nationwide Mission Drive warned of Chinese threat actors compromising such routers and Web of Issues units in widespread botnet operations. “The actors could then use the botnet as a proxy to hide their identities whereas deploying distributed denial-of-service (DDoS) assaults or compromising focused US networks,” the advisory warned. Two weeks previous to the advisory, the US Cybersecurity and Infrastructure Safety Company added two DrayTek vulnerabilities from 2021 (CVE-2021-20123 and CVE-2021-20124) to its recognized exploited vulnerabilities checklist citing energetic exploitation exercise. In 2022, a important RCE in DrayTek’s Vigor model of routers put quite a few small and medium-size businesses at risk of zero-click attacks.

The comparatively excessive variety of important vulnerabilities in DrayTek merchandise in recent times is one other concern as a result of many organizations don’t look like addressing them rapidly sufficient, Forescout stated. The safety vendor’s report highlighted 18 vulnerabilities going again to 2020, most of which have close to most severity scores of 9.8 on the CVSS scale. But 38% of greater than 704,000 DrayTek units that Forescout found did not have patches for disclosed vulnerabilities from two years in the past.

“Many organizations do not have the suitable degree of visibility into unmanaged units comparable to routers, so they might be unaware of those points on their networks,” Santos says. “They depend on endpoint telemetry and safety brokers to supply details about software program variations and apply patches. However in the case of firmware — which does not assist brokers — they may not know that vulnerabilities exist of their community or could not have manually utilized the patches.”