Hundreds of thousands of users of multiple DrayTek small and home office (SOHO) routers need to patch their devices immediately following the disclosure of an unauthenticated remote code execution (RCE) vulnerability in the DrayTek Vigor 3910 and 28 other models that share the same codebase.
The vulnerability, which has been assigned CVE-2022-32548, was discovered by the Trellix (formerly McAfee and FireEye) Threat Labs Vulnerability Research team, and left unpatched, the resulting attack chain can be performed without any user interaction if the device’s management interface is left exposed to the internet. An attacker could also perform a one-click attack from within the local area network (LAN) in the default device configuration.
Ultimately, the attack chain leads to full compromise of the device and unauthorised access to internal resources, leading to any number of outcomes, up to and including data theft and ransomware deployment.
According to data drawn from Shodan, there may be more than 700,000 vulnerable devices in the wild, and over 250,000 of them are located in the UK. Trellix estimates that of the total number, 200,000 are vulnerable to the first described attack, and many more to the second.
Although disclosed vulnerabilities in IT hardware pitched firmly at the SOHO segment might not seem as immediately dangerous as something like Log4Shell or ProxyLogon, they can be just as impactful, particularly given the prevalence of remote working, which has left many organisations, including large enterprises, more reliant on consumer IT than their security teams would like. Not surprisingly, malicious actors are wise to this.
Recently, the US Cybersecurity and Infrastucture Security Agency (CISA) released an advisory detailing state-sponsored exploitation of SOHO routers by advanced persistent threat (APT) actors linked to the Chinese government – and among the vulnerabilities on CISA’s list was an earlier-disclosed bug in DrayTek kit.
Douglas McKee, principal engineer and head of vulnerability research at Trellix, said: “Why does yet another vulnerability in a SOHO router matter?
“Because in 2019, 360Netlab Threat Detection System observed two different attack groups using two zero-day vulnerabilities targeting various DrayTek Vigor enterprise routers; because in March 2022, Barracuda reported small businesses are three times more likely to be targeted by cyber criminals than larger companies; because just last month, the ZuoRAT malware was observed infecting numerous SOHO router manufacturers, including Asus, Cisco, DrayTek and Netgear.
“In short, it matters because major threat actors like China are dictating it matters. Edge devices themselves, such as routers and firewalls, are rather uninteresting, however these devices are the gateway that protect the soft underbellies of companies.”
McKee added: “Once compromised, it is the open doorway into the rest of a network that is enticing for the adversary to perform the same level of research that our team performs. A compromised edge device can lead to intellectual property theft, sensitive customer or employee data loss, access to camera feeds, the opportunity to simplify the deployment of ransomware and, in some cases, a foothold into a network for years to come.”
Besides downloading and applying the patch, DrayTek users may wish to access their device’s management interface to verify that port mirroring, DNS settings, authorised VPN access and other relevant settings have not been fiddled with.
Users should also make sure the device’s management interface is not exposed to the internet unless absolutely necessary – in which case they should enable multifactor authentication and IP restriction, and change passwords on any affected devices.
Trellix acknowledged DrayTek’s prompt and effective response to its disclosure, saying: “We applaud DrayTek for their great responsiveness and the release of a patch less than 30 days after we disclosed the vulnerability to their security team. This type of responsiveness and relationship shows true organisation maturity and drive to improve security across the entire industry.”
A full list of the vulnerable router models, as well as further technical details of the attack chain, is available from Trellix.