Unauthenticated RCE can allow hacking DrayTek Vigor routers without user interaction

A critical flaw in multiple models of DrayTek Vigor routers can allow unauthenticated, remote attackers to fully compromise affected devices.

Tens of router models from Taiwanese SOHO manufacturer DrayTek are affected by a critical, unauthenticated, remote code execution vulnerability, tracked as CVE-2022-32548, that can be exploited to fully compromise a vulnerable device and gain unauthorized access to the broader network.

Researchers from Trellix discovered the vulnerability, the attack can be performed without user interaction if the management interface of the device has been exposed online, for this reason, it has been rated with a CVSS score of 10.0.

“The attack can be performed without user interaction if the management interface of the device has been configured to be internet facing. A one-click attack can also be performed from within the LAN in the default device configuration.” reads the advisory published by Trellix. “The attack can lead to a full compromise of the device and may lead to a network breach and unauthorized access to internal resources. All the affected models have a patched firmware available for download on the vendor’s website.”

The researchers discovered a buffer overflow on the login page at /cgi-bin/wlogin.cgi of the web management interface. An attacker can trigger the flaw by supplying carefully crafted username and/or password as base64 encoded strings inside the fields aa and ab of the login page. The root cause of the problem is the lack of size verification of these encoded strings.

“By default, this attack is reachable on the LAN and may be reachable via the internet (WAN) as well if the user has enabled remote web management on their device. The consequence of this attack is a takeover of the so called “DrayOS” that implements the router functionalities.” continues the analysis. “On devices that have an underlying Linux operating system (such as the Vigor 3910) it is then possible to pivot to the underlying operating system and establish a reliable foothold on the device and local network. Devices that are running the DrayOS as a bare-metal operating system will be harder to compromise as it requires that an attacker has better understanding of the DrayOS internals.”

Experts discovered over 200,000 vulnerable devices currently exposed on the internet that can be exploited without user interaction.

The vendor has already released a patch to address the vulnerability in DrayTek devices, Trellix applauds the manufacturer for their great responsiveness and the release of a patch less than 30 days after the disclosure of the issue of the vulnerability to their security team

The researchers pointed out that the compromise of a network appliance such as the Vigor 3910 can lead to the following outcomes:

• Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)
• Access to the internal resources located on the LAN that would normally require VPN-access or be present “on the same network”
• Man in the middle of the network traffic
• Spying on DNS requests and other unencrypted traffic directed to the internet from the LAN through the router
• Packet capture of the data going through any port of the router
• Botnet activity (DDoS, hosting malicious data, etc.)
• Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)
• Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)
• Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)

Failed exploitation attempts can lead to:

• Reboot of the device
• Denial of Service of affected devices
• Other possible abnormal behavior

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, DrayTek Vigor)

[adrotate banner=”5″]

[adrotate banner=”13″]