- The Trellix Threat Labs Vulnerability Research team has undisclosed an unauthenticated remote code execution bug affecting a total of 29 DrayTek routers.
- The vulnerability is classified as critical; having a CVSSv3 severity score of 10.0.
- It could lead an attacker to perform its attack without needing user interaction or credentials and take control of the full device.
The Trellix Threat Labs Vulnerability Research team has discovered an unauthenticated remote code execution bug affecting multiple DrayTek routers. This flaw was affecting 29 of the DrayTek Vigor series of business routers. It enables an attacker controlling entire of the device and access the unauthorized network.
Bug leads taking control of the device
DrayTek is a Taiwanese company that manufactures Small Office and Home Office (SOHO) routers widely embraced in the UK, Vietnam, and Taiwan. Its popularity grew during the pandemic by the trend of work-from-home working options. This popularity increase led Trellix Threat Labs to make a security assessment of one of the DrayTek flagship products, the Vigor 3910. The researchers quickly came upon a pre-authentication remote code execution vulnerability, affecting 28 other models that share the same codebase, along with Vigor 3910 model.
The discovery filed under CVE-2022-32548, having a CVSS v3 severity score of 10.0, is classified as critical. An attacker could take advantage of this bug to perform its attack without needing user interaction or credentials. The research team stated that an attack can be performed within the LAN in the default device configuration. It is also possible to exploit it via the internet if the device is configured to be internet-facing. The outcomes of the attack can be a leak of sensitive data, access to internal resources located on the LAN, spying on DNS requests, hosting malicious data, etc.
The affected DrayTek routers and versions by the CVE-2022-32548 vulnerability are;
- Vigor3910 < 22.214.171.124
- Vigor1000B < 126.96.36.199
- Vigor2962 Series < 188.8.131.52
- Vigor2927 Series < 4.4.0
- Vigor2927 LTE Series < 4.4.0
- Vigor2915 Series < 184.108.40.206
- Vigor2952 / 2952P < 220.127.116.11
- Vigor3220 Series < 18.104.22.168
- Vigor2926 Series < 22.214.171.124
- Vigor2926 LTE Series < 126.96.36.199
- Vigor2862 Series < 188.8.131.52
- Vigor2862 LTE Series < 184.108.40.206
- Vigor2620 LTE Series < 220.127.116.11
- VigorLTE 200n < 18.104.22.168
- Vigor2133 Series < 22.214.171.124
- Vigor2762 Series < 126.96.36.199
- Vigor167 < 5.1.1Vigor130 < 3.8.5
- VigorNIC 132 < 3.8.5
- Vigor165 < 4.2.4
- Vigor166 < 4.2.4
- Vigor2135 Series < 4.4.2
- Vigor2765 Series < 4.4.2
- Vigor2766 Series < 4.4.2
- Vigor2832 < 3.9.6
- Vigor2865 Series < 4.4.0
- Vigor2865 LTE Series < 4.4.0
- Vigor2866 Series < 4.4.0
- Vigor2866 LTE Series < 4.4.0
During the assessment, the researchers found over 200k devices that have vulnerable firmware are currently exposed on the internet and would require no user interaction to be exploited. Many more devices where the affected service is not exposed externally are still vulnerable to a one-click attack from the LAN. The Taiwanese company reacted to the discovery quickly and released a patch in less than 30 days.