Unauthenticated remote code execution vulnerability identified

News Desk -

Share

The Trellix Threat Labs Vulnerability Research team has published research on an unauthenticated remote code execution vulnerability, CVE-2022-32548, that affects multiple routers manufactured by DrayTek, a Taiwanese company that manufactures Small Office and Home Office (SOHO) routers.

If the device’s management interface is configured to be internet facing, the attack can be carried out without the need for user interaction. In the default device configuration, a one-click attack can also be launched from within the LAN. The attack may result in the device being completely compromised, as well as a network breach and unauthorized access to internal resources. A patched firmware for all affected models is available for download from the vendor’s website.

“With many businesses implementing work from home policies over the last two years, these affordable devices offer an easy way for Small and Medium Sized Businesses (SMBs) to provide VPN access to their employees. For this reason, we decided to look into the security of one of their flagship products, the Vigor 3910. We uncovered over 200k devices which have the vulnerable service currently exposed on the internet and would require no user interaction to be exploited,” said Philippe Laulheret, Senior Security Researcher at Trellix. 

A compromised network appliance, such as the Vigor 3910, can result in a variety of undesirable outcomes, such as the leak of sensitive data stored on the router; access to internal resources located on the LAN that would normally require VPN-access or be present “on the same network”; man-in-the-middle of network traffic; spying on DNS requests and other unencrypted traffic directed to the internet from the LAN through the router; packet capture of data going through the router; Furthermore, failed exploitation attempts can result in device reboots, denial of service for affected devices, and other potentially abnormal behavior.

For those organizations that use DrayTek routers, Trellix recommends:

  • Make sure the latest firmware is deployed to the device. 
  • In the management interface of the device, verify that port mirroring, DNS settings, authorized VPN access and any other relevant settings have not been tampered with.
  • Do not expose the management interface to the Internet unless absolutely required. If you do, make sure you enable 2FA and IP restriction to minimize the risk of an attack.
  • Change the password of affected devices and revoke any secret stored on the router that may have been leaked.

“Edge devices, such as the Vigor 3910 router, live on the boundary between internal and external networks. As such they are a prime target for cybercriminals and threat actors alike. Remotely breaching edge devices can lead to a full compromise of the businesses’ internal network. This is why it is critical to ensure these devices remain secure and updated and that vendors producing edge devices have processes in place for quick and efficient response following vulnerability disclosure, just as DrayTek did,” added Laulheret. “We applaud the great responsiveness and the release of a patch less than 30 days after we disclosed the vulnerability to their security team. This type of responsiveness and relationship shows true organization maturity and drive to improve security across the entire industry.”


Leave a reply