Doubtlessly tens of hundreds of DrayTek routers, together with fashions that many companies and authorities businesses use, are at heightened danger of assault by way of 14 newly found firmware vulnerabilities.
A number of of the failings allow denial-of-service and distant code execution (RCE) assaults, whereas others enable risk actors to inject and execute malicious code into webpages and the browsers of customers who go to compromised web sites.
A Broad Vary of Flaws
Two of the brand new flaws are vital, which means they want speedy consideration: CVE-2024-41592, a maximum-severity RCE bug within the Internet UI part of DrayTek routers, and CVE-2024-41585, an OS command execution/VM escape vulnerability with a CVSS severity rating of 9.1. 9 of the vulnerabilities are medium-severity threats, and three are comparatively low-severity flaws. The vulnerabilities are current in 24 DrayTek router fashions.
Researchers at Forescout’s Vedere Labs found the vulnerabilities throughout an investigation of DrayTek routers, prompted by what the safety vendor described as indicators of constant assault exercise focusing on the routers and a rash of current vulnerabilities within the know-how.
They discovered over 704,000 Web-exposed DrayTek routers — principally in Europe and Asia — lots of which doubtless comprise the newly found vulnerabilities.
“Since 75% of those routers are utilized in industrial settings, the implications for enterprise continuity and repute are extreme,” Forescout researchers warned in a report that summarized the findings from their investigation, which they dubbed Dray:Break. “A profitable assault may result in vital downtime, lack of buyer belief, and regulatory penalties, all of which fall squarely on a CISO’s shoulders.”
Patching Might Not Be Sufficient
DrayTek has issued patches for all of the vulnerabilities by way of completely different firmware updates. Nevertheless, organizations shouldn’t cease with simply making use of the patches, says Daniel dos Santos, the top of safety analysis at Forescout Vedere Labs. To decrease danger from related vulnerabilities in DrayTek routers sooner or later, safety groups must also proactively implement longer-term mitigation measures, he provides. “Our report exhibits there is a lengthy historical past of vital vulnerabilities affecting these routers, and plenty of have been weaponized by botnets and different malware,” he says. “Taking a proactive safety method ensures that even when new vulnerabilities are discovered, the danger to a corporation shall be low.”
Attackers will doubtless discover it comparatively simple to seek out DrayTek routers that comprise the brand new vulnerabilities utilizing serps akin to Shodan or Censys, dos Santos says. However “exploitation is tougher as a result of we didn’t present an in depth working proof-of-concept, solely the general description of the vulnerabilities,” he provides. “If one other researcher or an attacker builds and publishes a working exploit, then mass exploitation may occur — like the way it has occurred for different DrayTek CVEs prior to now.”
The mitigations that DrayTek and Forescout have really helpful embody disabling distant entry if not wanted, verifying that no unauthorized distant entry profiles have been added, enabling system logging, and utilizing solely safe protocols akin to HTTPS. Forescout additionally recommends that DrayTek prospects guarantee correct community visibility, change default configurations, substitute end-of-life units, and phase their networks.
A In style Assault Goal
The recommendation comes amid indicators of rising risk actor exercise — together with by nation-state actors — focusing on vulnerabilities in routers and different community units from DrayTek and a wide range of different distributors, together with Fortinet, F5, QNAP, Ivanti, Juniper, and Zyxel.
In a September advisory, the FBI, the US Nationwide Safety Company, and Cyber Nationwide Mission Power warned of Chinese language risk actors compromising such routers and Web of Issues units in widespread botnet operations. “The actors might then use the botnet as a proxy to hide their identities whereas deploying distributed denial-of-service (DDoS) assaults or compromising focused US networks,” the advisory warned. Two weeks previous to the advisory, the US Cybersecurity and Infrastructure Safety Company added two DrayTek vulnerabilities from 2021 (CVE-2021-20123 and CVE-2021-20124) to its identified exploited vulnerabilities record citing lively exploitation exercise. In 2022, a vital RCE in DrayTek’s Vigor model of routers put quite a few small and medium-size companies prone to zero-click assaults.
The comparatively excessive variety of vital vulnerabilities in DrayTek merchandise lately is one other concern as a result of many organizations don’t seem like addressing them rapidly sufficient, Forescout mentioned. The safety vendor’s report highlighted 18 vulnerabilities going again to 2020, most of which have close to most severity scores of 9.8 on the CVSS scale. But 38% of greater than 704,000 DrayTek units that Forescout found did not have patches for disclosed vulnerabilities from two years in the past.
“Many organizations do not have the suitable degree of visibility into unmanaged units akin to routers, so they could be unaware of those points on their networks,” dos Santos says. “They depend on endpoint telemetry and safety brokers to offer details about software program variations and apply patches. However relating to firmware — which does not help brokers — they may not know that vulnerabilities exist of their community or might not have manually utilized the patches.”