A series of new security vulnerabilities affecting DrayTek routers have been discovered, putting over 700,000 devices at risk of exploitation. Researchers found that these flaws could allow threat actors to take control of the routers, using them as a gateway into enterprise networks. While patches have been released to address these vulnerabilities, the exposed devices could still encounter cyberattacks if not updated.
The Vulnerabilities and Their Potential Impact
Fourteen security vulnerabilities have been uncovered in DrayTek routers, a mix of residential and commercial networking devices. Forescout Vedere Labs, the team behind the discovery, stated the importance of the issues. These vulnerabilities allow for a variety of attacks, including Denial of Service (DoS), remote code execution (RCE), and even OS command injection. Two of the vulnerabilities carry the highest level of severity, with a Common Vulnerability Scoring System (CVSS) score of 10, while nine are rated as high, and three are deemed medium. Among the most prominent flaws is a buffer overflow bug in the “GetCGI()” function of the router’s web user interface, which can lead to DoS or RCE. Another issue involves OS command injection within the “recvCmd” binary, which allows for dangerous communications between host and guest operating systems. These vulnerabilities have been given a CVSS score of 10 and 9.1, respectively, indicating their high risk. The remaining vulnerabilities include several buffer overflows and cross-site scripting (XSS) flaws within the routers’ web interfaces. Another issue arises from the use of the same admin credentials across the system, making it susceptible to full system compromise if these credentials are discovered.
Threat and Exposure
Forescout’s analysis revealed that approximately 704,000 DrayTek routers are exposed to the internet, making them prime targets for cyberattacks. The exposed routers are spread across multiple countries, with the majority located in the U.S., followed by regions such as Vietnam, the Netherlands, Taiwan, and Australia. Given their use in both residential and commercial settings, these vulnerabilities are a large risk to data security and network integrity. DrayTek routers have also been exploited in previous cyber incidents. A botnet exploiting older DrayTek vulnerabilities was recently taken down by the FBI, emphasizing the growing interest from threat actors in targeting such networking equipment.
Patching and Mitigation
Following responsible disclosure from researchers, DrayTek has released patches for all 14 identified vulnerabilities, including fixes for 11 end-of-life (EoL) models. Forescout advises that all DrayTek router users apply these patches immediately to ensure protection. If remote access is not necessary, it is also recommended to disable it on the router. Implementing an access control list (ACL) and using two-factor authentication (2FA) can also lessen the risk of unauthorized access. Regular firmware updates are important for maintaining security, but as explained in the report titled “Dray– Breaking Into DrayTek Routers Before Threat Actors Do It Again,” many devices remain unpatched and at risk due to outdated firmware. Segmentation of OT and IT networks is advised to prevent any spread of malware between systems.
Industry Repercussions
The exposure of DrayTek routers reveals the issue of router security and the requirement of addressing vulnerabilities before they are exploited by threat actors. The vulnerabilities in DrayTek devices could be utilized in attacks, including data exfiltration, ransomware, and denial-of-service (DoS) attacks. As approximately 75% of these devices are used in commercial settings, the consequences of a successful attack could be damaging, leading to data breaches, operational downtime, and potential regulatory penalties.
The discovery of these weaknesses in over over 700,000 of DrayTek routers, has left organizations and individuals using the routers, needing to quickly apply the patches provided by DrayTek and follow security best practices to protect their networks and data from cyber threats.
Image credit: logo ©DrayTeK / BritCats Studio, AdobeStock