A vulnerability in DrayTek’s routers allows attackers from the network to compromise the devices. You don’t even need to register.
A critical vulnerability in various routers from DrayTek allows unregistered attackers from the network to execute arbitrary commands on the devices and take control of them. The manufacturer provides updated firmware packages that correct the error.
Trellix security researchers discovered the vulnerability. It affects the log-in web page of the routers. Attackers could break into the router from the LAN or, if the management interface is accessible from the Internet, from the network and move further in the network from there. This may also be possible with SSL VPN on the router.
Numerous vulnerable routers on the Internet
During their analysis, the IT experts found more than 200,000 devices that offered the vulnerable service on the Internet. On the login web page /cgi-bin/wlogin.cgi the router can experience a buffer overflow if an attacker uses carefully crafted Base64-encoded values ​​for the form fields aa and ab sends. The cause is a logic error in the router software when checking the length (CVE-2022-32548, CVSS 10.0risk “critical“).
A whole series of routers with the firmware versions are affected:
Vigor3910 < 4.3.1.1
Vigor1000B < 4.3.1.1
Vigor2962 Series < 4.3.1.1
Vigor2927 Series < 4.4.0
Vigor2927 LTE Series < 4.4.0
Vigor2915 Series < 4.3.3.2
Vigor2952/2952P < 3.9.7.2
Vigor3220 Series < 3.9.7.2
Vigor2926 Series < 3.9.8.1
Vigor2926 LTE Series < 3.9.8.1
Vigor2862 Series < 3.9.8.1
Vigor2862 LTE Series < 3.9.8.1
Vigor2620 LTE Series < 3.9.8.1
VigorLTE 200n < 3.9.8.1
Vigor2133 Series < 3.9.6.4
Vigor2762 Series < 3.9.6.4
Vigor167 < 5.1.1
Vigor130 < 3.8.5
VigorNIC 132 < 3.8.5
Vigor165 < 4.2.4
Vigor166 < 4.2.4
Vigor2135 Series < 4.4.2
Vigor2765 Series < 4.4.2
Vigor2766 Series < 4.4.2
Vigor2832 < 3.9.6
Vigor2865 Series < 4.4.0
Vigor2865 LTE Series < 4.4.0
Vigor2866 Series < 4.4.0
Vigor2866 LTE Series < 4.4.0
On the company’s download page, Draytek provides updated firmware for affected routers in order to close the security gap. Administrators with DrayTek routers should quickly download and install the updates on the devices.
Where this is not yet possible, administrators should prevent access to the management interface from the Internet and deactivate the SSL VPN service. DrayTek advises this in its own security advisory.
Since vulnerabilities in DrayTek routers have also been attacked by cybercriminals in the past, administrators should quickly either install the updated firmware or apply the suggested workarounds.
