The Trellix Threat Labs Vulnerability Research team has released research detailing an unauthenticated remote code execution vulnerability, filed under CVE-2022-32548, affecting multiple routers from DrayTek, a Taiwanese company that manufactures Small Office and Home Office routers.
The attack can be performed without user interaction if the management interface of the device has been configured to be internet facing. A one-click attack can also be performed from within the LAN in the default device configuration. The attack can lead to a full compromise of the device and may lead to a network breach and unauthorized access to internal resources. All the affected models have a patched firmware available for download on the vendor’s website.
The compromise of a network appliance such as the Vigor 3910 can lead to a host of undesirable outcomes including leak of sensitive data stored on the router; access to the internal resources located on the LAN that would normally require VPN-access or be present “on the same network”; man-in-the-middle of the network traffic; spying on DNS requests and other unencrypted traffic directed to the internet from the LAN through the router; packet capture of the data going through any port of the router or Botnet activity. Furthermore, failed exploitation attempts can lead to reboot of the device, denial of service of affected devices and other possible abnormal behavior.
Trellix Threat Labs is not currently aware of any signs of exploitation of this vulnerability in the wild; however, DrayTek devices were recently targeted by various known malicious actors
“With many businesses implementing work from home policies over the last two years, these affordable devices offer an easy way for Small and Medium Sized Businesses (SMBs) to provide VPN access to their employees. For this reason, we decided to look into the security of one of their flagship products, the Vigor 3910. We uncovered over 200k devices which have the vulnerable service currently exposed on the internet and would require no user interaction to be exploited,” said Philippe Laulheret, Senior Security Researcher at Trellix.
“Edge devices, such as the Vigor 3910 router, live on the boundary between internal and external networks. As such they are a prime target for cybercriminals and threat actors alike. Remotely breaching edge devices can lead to a full compromise of the businesses’ internal network. This is why it is critical to ensure these devices remain secure and updated and that vendors producing edge devices have processes in place for quick and efficient response following vulnerability disclosure, just as DrayTek did,” added Laulheret. “We applaud the great responsiveness and the release of a patch less than 30 days after we disclosed the vulnerability to their security team. This type of responsiveness and relationship shows true organization maturity and drive to improve security across the entire industry.”