Doubtlessly tens of 1000’s of DrayTek routers, together with fashions that many companies and authorities companies use, are at heightened threat of assault through 14 newly found firmware vulnerabilities.
A number of of the issues allow denial-of-service and distant code execution (RCE) assaults, whereas others enable menace actors to inject and execute malicious code into webpages and the browsers of customers who go to compromised web sites.
A Extensive Vary of Flaws
Two of the brand new flaws are essential, that means they want fast consideration: CVE-2024-41592, a maximum-severity RCE bug within the Internet UI element of DrayTek routers, and CVE-2024-41585, an OS command execution/VM escape vulnerability with a CVSS severity rating of 9.1. 9 of the vulnerabilities are medium-severity threats, and three are comparatively low-severity flaws. The vulnerabilities are current in 24 DrayTek router fashions.
Researchers at Forescout’s Vedere Labs found the vulnerabilities throughout an investigation of DrayTek routers, prompted by what the safety vendor described as indicators of constant assault exercise concentrating on the routers and a rash of current vulnerabilities within the know-how.
They discovered over 704,000 Web-exposed DrayTek routers — largely in Europe and Asia — a lot of which seemingly include the newly found vulnerabilities.
“Since 75% of those routers are utilized in industrial settings, the implications for enterprise continuity and repute are extreme,” Forescout researchers warned in a report that summarized the findings from their investigation, which they dubbed Dray:Break. “A profitable assault might result in important downtime, lack of buyer belief, and regulatory penalties, all of which fall squarely on a CISO’s shoulders.”
Patching Might Not Be Sufficient
DrayTek has issued patches for all of the vulnerabilities through completely different firmware updates. Nevertheless, organizations shouldn’t cease with simply making use of the patches, says Daniel dos Santos, the top of safety analysis at Forescout Vedere Labs. To decrease threat from related vulnerabilities in DrayTek routers sooner or later, safety groups must also proactively implement longer-term mitigation measures, he provides. “Our report reveals there is a lengthy historical past of essential vulnerabilities affecting these routers, and lots of have been weaponized by botnets and different malware,” he says. “Taking a proactive safety strategy ensures that even when new vulnerabilities are discovered, the chance to a corporation will likely be low.”
Attackers will seemingly discover it comparatively straightforward to search out DrayTek routers that include the brand new vulnerabilities utilizing engines like google similar to Shodan or Censys, dos Santos says. However “exploitation is tougher as a result of we didn’t present an in depth working proof-of-concept, solely the general description of the vulnerabilities,” he provides. “If one other researcher or an attacker builds and publishes a working exploit, then mass exploitation might occur — like the way it has occurred for different DrayTek CVEs up to now.”
The mitigations that DrayTek and Forescout have really helpful embrace disabling distant entry if not wanted, verifying that no unauthorized distant entry profiles have been added, enabling system logging, and utilizing solely safe protocols similar to HTTPS. Forescout additionally recommends that DrayTek clients guarantee correct community visibility, change default configurations, exchange end-of-life gadgets, and phase their networks.
A Widespread Assault Goal
The recommendation comes amid indicators of rising menace actor exercise — together with by nation-state actors — concentrating on vulnerabilities in routers and different community gadgets from DrayTek and quite a lot of different distributors, together with Fortinet, F5, QNAP, Ivanti, Juniper, and Zyxel.
In a September advisory, the FBI, the US Nationwide Safety Company, and Cyber Nationwide Mission Power warned of Chinese language menace actors compromising such routers and Web of Issues gadgets in widespread botnet operations. “The actors might then use the botnet as a proxy to hide their identities whereas deploying distributed denial-of-service (DDoS) assaults or compromising focused US networks,” the advisory warned. Two weeks previous to the advisory, the US Cybersecurity and Infrastructure Safety Company added two DrayTek vulnerabilities from 2021 (CVE-2021-20123 and CVE-2021-20124) to its identified exploited vulnerabilities record citing energetic exploitation exercise. In 2022, a essential RCE in DrayTek’s Vigor model of routers put quite a few small and medium-size companies liable to zero-click assaults.
The comparatively excessive variety of essential vulnerabilities in DrayTek merchandise in recent times is one other concern as a result of many organizations don’t look like addressing them rapidly sufficient, Forescout mentioned. The safety vendor’s report highlighted 18 vulnerabilities going again to 2020, most of which have close to most severity scores of 9.8 on the CVSS scale. But 38% of greater than 704,000 DrayTek gadgets that Forescout found did not have patches for disclosed vulnerabilities from two years in the past.
“Many organizations haven’t got the best stage of visibility into unmanaged gadgets similar to routers, so they could be unaware of those points on their networks,” dos Santos says. “They depend on endpoint telemetry and safety brokers to offer details about software program variations and apply patches. However relating to firmware — which does not assist brokers — they may not know that vulnerabilities exist of their community or might not have manually utilized the patches.”
