Critical security vulnerabilities in Draytek devices allow system takeover

Many models in the Vigor series have security gaps that could allow attackers to take over the devices completely, warns the service provider Forescout. The company's experts analyzed the firmware of the devices and discovered some critical errors.

In their report, the researchers are harsh on Vigor. The high defect density in a few areas of the firmware is striking – especially in CGI scripts (Common Gateway Interface), which can often even be accessed from the Internet via the router's web interface. The DrayOS operating system either runs directly on the router or is emulated using QEMU – for example, on Draytek routers of the 391x series.

The researchers analyzed the DrayOS kernel and initially stumbled across a lack of security measures such as stack canaries, ASLR (Address Space Layout Randomization) or PIE (Position Indepedent Executable). In addition, the DrayOS kernels lack the NX bit, which prevents the execution of code on the stack or heap. This made exploiting the security gaps a mere finger exercise for the analysts.

Vigor-less bug collection

Among the vulnerabilities found, CVE-2024-41592 and CVE-2024-41585 stand out. The former, a buffer overflow, enables service prevention (DoS) and code smuggling and can be exploited remotely –, earning it the highest CVSS rating of 10. It shares the critical risk rating with the second, but somewhat less dangerous (CVSS 9.1) vulnerability, which not only enables the execution of arbitrary commands, but also the breakout from the QEMU VM in which DrayOS runs.

In the ranks are:

• A full system takeover (CVE-2024-41589, CVSS 7.5, high),
• various cross-site scripting attacks with high and medium severity (CVE-2024-41591, CVE-2024-41587, CVE-2024-41583, CVE-2024-41584),
• Half a dozen DoS vulnerabilities, some of which also allow code smuggling (CVE-2024-41588, CVE-2024-41590, CVE-2024-41586, CVE-2024-41596, CVE-2024-41593, CVE-2024-41595, each with a high risk) and
• a man-in-the-middle attack due to incorrectly selected OpenSSL parameters, which can lead to the disclosure of protected information (CVE-2024-41594, high risk)

Draytek has fixed all vulnerabilities with new firmware versions. According to the Forescout analysis, 24 router types are susceptible to the vulnerabilities; a detailed list and version number of the repaired firmware can be found in the report. Almost half of the affected devices are no longer manufactured (EoL), but are apparently still in use. And this is in the corporate environment: three quarters of the affected device types are intended for use in small or medium-sized companies, according to Forescout.

Security vulnerabilities in home routers are among the most popular gateways for attackers. They equip the devices with backdoors to use them as a springboard for attacks, as free crypto mines or as spam slingers. A botnet allegedly operated by Chinese government agencies, which also included Draytek routers, was recently shut down by US authorities. However, the attackers had taken control of the Vigor devices misused there with an exploit for older security vulnerabilities.

(cku)