Man
Professional
- Messages
- 3,051
- Reaction score
- 577
- Points
- 113
An invisible army of hackers is already knocking on your digital bastion.
Experts from Forescout have discovered 14 vulnerabilities in DrayTek routers at once, which can allow attackers to gain full access to devices and use them as an entry point into the networks of large enterprises and private households. Among the identified problems, two were rated as critical, nine with a high level of danger, and three with a medium level of danger.
The greatest threat is a buffer overflow vulnerability (CVE-2024-41592) in the "GetCGI()" function of the router's web interface, which can lead to denial of service (DoS) or remote code execution (RCE). Another critical vulnerability (CVE-2024-41585) is fraught with the injection of operating system commands into the "recvCmd" binary, which is used for communication between the host and the guest OS.
Below is the full list of vulnerabilities found:
Forescout's analysis found that about 704,000 DrayTek routers have an open web interface, making them an easy target for attacks. Most of these devices are located in the United States, Vietnam, the Netherlands, Taiwan and Australia.
Following responsible vulnerability disclosure, DrayTek has released patches for all identified vulnerabilities, including critical and end-of-life devices. Experts strongly recommend updating the firmware of devices and disabling remote access to the router's web panel when not in use.
Source
Experts from Forescout have discovered 14 vulnerabilities in DrayTek routers at once, which can allow attackers to gain full access to devices and use them as an entry point into the networks of large enterprises and private households. Among the identified problems, two were rated as critical, nine with a high level of danger, and three with a medium level of danger.
The greatest threat is a buffer overflow vulnerability (CVE-2024-41592) in the "GetCGI()" function of the router's web interface, which can lead to denial of service (DoS) or remote code execution (RCE). Another critical vulnerability (CVE-2024-41585) is fraught with the injection of operating system commands into the "recvCmd" binary, which is used for communication between the host and the guest OS.
Below is the full list of vulnerabilities found:
- CVE-2024-41589 (CVSS: 7.5). Use of the same administrator credentials in the system (including guest and main OS). Obtaining this data can lead to a complete compromise of the system.
- CVE-2024-41591 (CVSS: 7.5). The frontend contains a "doc/hslogp1_link.htm" page that accepts HTML code via the "content" parameter in the query string and displays it without filtering, leading to a cross-site scripting vulnerability.
- CVE-2024-41587 (CVSS: 4.9). The web interface allows you to customize the welcome message for each user. Insufficient input validation allows arbitrary JavaScript code to be injected, which creates a cross-site scripting storage vulnerability.
- CVE-2024-41583 (CVSS: 4.9). The web interface allows you to customize the router name that is displayed on the pages. Due to insufficient validation of input data, arbitrary JavaScript code may be injected.
- CVE-2024-41584 (CVSS: 4.9). The login page «wlogin.cgi" of the frontend accepts the "sFormAuthStr" parameter for CSRF protection. The value of this parameter is displayed on the corresponding webpage without filtering, allowing you to inject restricted JavaScript code.
- CVE-2024-41592 (CVSS: 10). The "GetCGI()" function of the frontend, which handles HTTP request data, has a buffer overflow vulnerability when processing request string parameters.
- CVE-2024-41585 (CVSS: 9.1). The "recvCmd" binary, which is used to communicate between the host and guest OS, is susceptible to OS command injection attacks.
- CVE-2024-41588 (CVSS: 7.2). The web interface CGI pages "/cgi-bin/v2x00.cgi" and "/cgi-bin/cgiwcg.cgi" are vulnerable to buffer overflows due to the lack of check for the length of query string parameters when using the "strncpy()" function.
- CVE-2024-41590 (CVSS: 7.2). Buffer overflow vulnerabilities have been discovered in several CGI pages of the frontend due to insufficient validation of the data passed to the "strcpy()" function. Credentials are required for operation.
- CVE-2024-41586 (CVSS: 7.2). The "/cgi-bin/ipfedr.cgi" page of the frontend is vulnerable to stack overflow when processing a long query string.
- CVE-2024-41596 (CVSS: 7.2). Several buffer overflow vulnerabilities in the frontend caused by lack of checks when handling CGI form parameters.
- CVE-2024-41593 (CVSS: 7.2). The "ft_payloads_dns()" function of the frontend contains a buffer overflow vulnerability on the heap due to an error in the operation on the call length argument "_memcpy()". This can lead to over-buffer writes and memory corruption.
- CVE-2024-41595 (CVSS: 7.2). Several CGI frontend pages lack boundary checking for reads and writes associated with different interface settings, which can cause a denial of service.
- CVE-2024-41594 (CVSS: 7.6). The web server backend for the frontend uses a static string to initialize a random number generator in OpenSSL for TLS. This can lead to information leaks and man-in-the-middle (MiTM) attacks.
Forescout's analysis found that about 704,000 DrayTek routers have an open web interface, making them an easy target for attacks. Most of these devices are located in the United States, Vietnam, the Netherlands, Taiwan and Australia.
Following responsible vulnerability disclosure, DrayTek has released patches for all identified vulnerabilities, including critical and end-of-life devices. Experts strongly recommend updating the firmware of devices and disabling remote access to the router's web panel when not in use.
Source
