A critical, pre-authenticated remote code execution (RCE) vulnerability has cropped up in the widely used line of DrayTek Vigor routers for smaller businesses. If it’s exploited, researchers warn that it could allow complete device takeover, along with access to the broader network.
The bug (tracked as CVE-2022-32548) carries the highest vulnerability-severity score on the CVSS scale: 10 out of 10. This is no surprise given that not only is it a pre-authentication RCE, but attackers could exploit it to compromise a device without social engineering or user interaction, according to a vulnerability disclosure out today from Trellix.
DrayTek routers are often used by small and midsize (SMBs) to provide VPN access to employees — an increasing need given the mass migration of workers to work-from-home situations since the pandemic started. They’re widely deployed, including in the US, throughout Asia and Europe, and especially in the UK.
The zero-click attack is possible if the device’s management interface is configured to be Internet-facing, according to Trellix (a Shodan search showed that about 200,000 routers have interfaces open to the Internet). But even if it’s not, a one-click attack is also possible, which would require access to the LAN.
Patch Now: SMBs in the Crosshairs
So far, there are no signs of exploitation, but since the bug is now disclosed, that’s likely to change, so administrators should apply their device-specific firmware updates immediately.
DrayTek routers are firmly in the sights of cybercriminals, with the US Cybersecurity and Infrastructure Security Agency (CISA) going so far as to issue a warning to that effect last June. In fact, DrayTek RCE bugs are among the most popular used by Chinese state-sponsored attackers, the agency noted, who are using them to go after SMBs in a trend that’s been evident since 2020.
Lumen also published an advisory in June on ZuoRAT exploiting a bug in the Vigor 3900, an end-of-life device with a large installed base among small-office/home-office (SOHO) users.
It may seem counter-intuitive for advanced persistent threats (APTs) to be going after small fish, but Trellix points out that in 2020, the US Small Business Administration reported that there are 6 million small businesses with fewer than 500 employees in the country, compared with just 20,000 large businesses.
“While we may forget about this massive attack surface, our adversaries have not,” the Trellix researchers note. “It is imperative to understand you are a target no matter the size or type of business. Data continues to demonstrate that not only is this space a target but often a more likely target. It is critical for SOHO and SMB users to understand their networks, stay update to date on all vendor patches and immediately report breeches to law enforcement.”
Indeed, Barracuda Networks in March published a report that found that small businesses are three times more likely to be targeted by cybercriminals than their larger counterparts.
Risky Outcomes: Full Device Compromise
In the case of the new bug, an attack can lead to a host of game-changing outcomes for SMBs, according to the researchers — in some cases, company-ending outcomes.
These include the theft of sensitive data stored on the router, such as keys and administrative passwords that could be used to pivot further into the network to deliver ransomware or other malware. Espionage-minded attackers could also gain access to the internal resources located on the LAN that would normally require VPN access; launch man-in-the-middle (MitM) attacks to spy on DNS requests and other unencrypted traffic flowing from users through the router; and achieving packet capture of the data going through any port of the router. Other kinds of attacks include adding the device to a botnet for distributed denial-of-service (DDoS) or cryptomining purposes.
Even failed exploitation attempts can be problematic, according to Trellix, resulting in the device rebooting or a DoS condition that would lock out users from accessing company resources on the LAN.
Under the Hood with CVE-2022-32548
The RCE bug specifically affects the Vigor 3910 and 28 other DrayTek models sharing the same codebase (a list is included in the Trellix advisory). The researchers note that it stems from a buffer overflow in the login page for the devices’ Web management interface (/cgi-bin/wlogin.cgi).
“An attacker may supply a carefully crafted username and/or password as base64 encoded strings inside the fields aa and ab of the login page,” according to the write-up. “This would cause the buffer overflow to trigger due to a logic bug in the size verification of these encoded strings.”
As shown in a proof-of-concept (PoC) exploit video, attackers can then take over of the DrayOS operating system that implements the router functionalities.
“On devices that have an underlying Linux operating system (such as the Vigor 3910) it is then possible to pivot to the underlying operating system and establish a reliable foothold on the device and local network,” the researchers explain. “Devices that are running the DrayOS as a bare-metal operating system will be harder to compromise as it requires that an attacker has better understanding of the DrayOS internals.”
How to Protect Against SMB/SOHO Router Attacks
For businesses using DrayTek routers, protection from attack starts with patching and making sure the firmware is always up to date.
Beyond that, Trellix researchers recommend that admins should never expose the management interface to the Internet unless absolutely required; and if it is, they should implement two-factor authentication (2FA) and IP restrictions to minimize risk.
Once the patch is applied admins should also verify that port mirroring, DNS settings, authorized VPN access, and any other relevant settings have not been tampered with in the management interface. And they should change the password of the devices and revoke any secret stored on the router that may have been accessed prior to patching.
For those companies that can’t patch right away, Trellix researchers say that monitoring for compromise should be a priority.
“Exploitation attempts can be detected by logging/alerting when a malformed base64 string is sent via a POST request to the /cgi-bin/wlogin.cgi end-point on the web management interface router,” they note. “Base64 encoded strings are expected to be found in the aa and ab fields of the POST request. Malformed base64 strings indicative of an attack would have an abnormally high number of %3D padding. Any number over three should be considered suspicious.”
