Potentially tens of thousands of DrayTek routers, including models that many businesses and government agencies use, are at heightened risk of attack via 14 newly discovered firmware vulnerabilities.
Several of the flaws enable denial-of-service and remote code execution (RCE) attacks, while others allow threat actors to inject and execute malicious code into webpages and the browsers of users who visit compromised websites.
A Wide Range of Flaws
Two of the new flaws are critical, meaning they need immediate attention: CVE-2024-41592, a maximum-severity RCE bug in the Web UI component of DrayTek routers, and CVE-2024-41585, an OS command execution/VM escape vulnerability with a CVSS severity score of 9.1. Nine of the vulnerabilities are medium-severity threats, and three are relatively low-severity flaws. The vulnerabilities are present in 24 DrayTek router models.
Researchers at Forescout’s Vedere Labs discovered the vulnerabilities during an investigation of DrayTek routers, prompted by what the security vendor described as signs of consistent attack activity targeting the routers and a rash of recent vulnerabilities in the technology.
They found over 704,000 Internet-exposed DrayTek routers — mostly in Europe and Asia — many of which likely contain the newly discovered vulnerabilities.
“Since 75% of these routers are used in commercial settings, the implications for business continuity and reputation are severe,” Forescout researchers warned in a report that summarized the findings from their investigation, which they dubbed Dray:Break. “A successful attack could lead to significant downtime, loss of customer trust, and regulatory penalties, all of which fall squarely on a CISO’s shoulders.”
Patching May Not Be Enough
DrayTek has issued patches for all the vulnerabilities via different firmware updates. However, organizations should not stop with just applying the patches, says Daniel dos Santos, the head of security research at Forescout Vedere Labs. To lower risk from similar vulnerabilities in DrayTek routers in the future, security teams should also proactively implement longer-term mitigation measures, he adds. “Our report shows there’s a long history of critical vulnerabilities affecting those routers, and many have been weaponized by botnets and other malware,” he says. “Taking a proactive security approach ensures that even when new vulnerabilities are found, the risk to an organization will be low.”
Attackers will likely find it relatively easy to find DrayTek routers that contain the new vulnerabilities using search engines such as Shodan or Censys, dos Santos says. But “exploitation is more difficult because we did not provide a detailed working proof-of-concept, only the overall description of the vulnerabilities,” he adds. “If another researcher or an attacker builds and publishes a working exploit, then mass exploitation could happen — like how it has happened for other DrayTek CVEs in the past.”
The mitigations that DrayTek and Forescout have recommended include disabling remote access if not needed, verifying that no unauthorized remote access profiles have been added, enabling system logging, and using only secure protocols such as HTTPS. Forescout also recommends that DrayTek customers ensure proper network visibility, change default configurations, replace end-of-life devices, and segment their networks.
A Popular Attack Target
The advice comes amid signs of growing threat actor activity — including by nation-state actors — targeting vulnerabilities in routers and other network devices from DrayTek and a variety of other vendors, including Fortinet, F5, QNAP, Ivanti, Juniper, and Zyxel.
In a September advisory, the FBI, the US National Security Agency, and Cyber National Mission Force warned of Chinese threat actors compromising such routers and Internet of Things devices in widespread botnet operations. “The actors may then use the botnet as a proxy to conceal their identities while deploying distributed denial-of-service (DDoS) attacks or compromising targeted US networks,” the advisory warned. Two weeks prior to the advisory, the US Cybersecurity and Infrastructure Security Agency added two DrayTek vulnerabilities from 2021 (CVE-2021-20123Â and CVE-2021-20124) to its known exploited vulnerabilities list citing active exploitation activity. In 2022, a critical RCE in DrayTek’s Vigor brand of routers put numerous small and medium-size businesses at risk of zero-click attacks.
The relatively high number of critical vulnerabilities in DrayTek products in recent years is another concern because many organizations don’t appear to be addressing them quickly enough, Forescout said. The security vendor’s report highlighted 18 vulnerabilities going back to 2020, most of which have near maximum severity scores of 9.8 on the CVSS scale. Yet 38% of more than 704,000 DrayTek devices that Forescout discovered didn’t have patches for disclosed vulnerabilities from two years ago.
“Many organizations don’t have the right level of visibility into unmanaged devices such as routers, so they may be unaware of these issues on their networks,” dos Santos says. “They rely on endpoint telemetry and security agents to provide information about software versions and apply patches. But when it comes to firmware — which doesn’t support agents — they might not know that vulnerabilities exist in their network or may not have manually applied the patches.”