Critical flaws reported in DrayTek routers, over 700,000 exposed devices online

DrayTek, a major router manufacturer, has released patches for 14 security vulnerabilities affecting over 700,000 devices, including critical flaws that could allow remote code execution (RCE) and denial-of-service (DoS) attacks. DrayTek routers are widely used in sectors such as healthcare, manufacturing, and government.

The flaws were discovered by Forescout Research’s Vedere Labs, and they affect both actively supported and end-of-life (EoL) router models.

Due to the severity of the issues, DrayTek has provided updates for both types of devices.

Key Vulnerabilities:

• CVE-2024-41592 (FSCT-2024-0006) (CVSS score 10) – Buffer Overflow in GetCGI() - This flaw can lead to remote code execution (RCE) or denial of service (DoS) when an attacker sends specially crafted HTTP requests to the router’s web interface.

• CVE-2024-41585 (FSCT-2024-0007) (CVSS score 9.1) – Command Injection in OS Communication - Vulnerability in the "recvCmd" binary used for communication between the host and guest operating systems. It allows command injection, enabling attackers to execute arbitrary code and potentially escape from virtual machines.

• CVE-2024-41594 (FSCT-2024-0014) (CVSS score 7.6) – Weak PRNG for TLS Connections - This flaw affects the pseudo-random number generator (PRNG) in the web server backend for OpenSSL TLS connections, making it susceptible to man-in-the-middle (MitM) attacks and information disclosure.

• CVE-2024-41589 (FSCT-2024-0001) (CVSS score 7.5) – Identical Admin Credentials - Admin credentials are the same across the system, enabling an attacker to gain full control if these credentials are compromised.

• CVE-2024-41591 (FSCT-2024-0002) (CVSS score 7.5) – Reflected Cross-Site Scripting (XSS) - Improper handling of inputs in the Web UI allows reflected XSS attacks, which can enable the injection of malicious JavaScript code.

As reported by the Forescout Research that discovered these flaws, at least 785,000 DrayTek routers may be affected by the vulnerabilities, with over 704,500 devices having their web interfaces exposed to the internet, significantly increasing the attack surface.

The affected devices are distributed across various regions, including the United States, United Kingdom, Vietnam, Netherlands, and Australia. Some of the 24 router models impacted include 11 that have reached end-of-life (EoL) but still received fixes for the most critical flaws.

DrayTek has released firmware updates to address these vulnerabilities, and all users are advised to:

1. Update to the latest firmware version for their device model immediately.
2. Disable remote access unless absolutely necessary.
3. If remote access is required, use an access control list (ACL) and two-factor authentication (2FA).
4. Check device settings for unauthorized changes, such as new admin users or remote access profiles.
5. Disable SSL VPN connections over port 443, unless necessary.
6. Enable syslog logging to monitor for suspicious activity.
7. Ensure that the router's remote access console is disabled to prevent exploits and brute force attacks.