Hundreds of thousands of DrayTek Vigor routers are at risk due to a new RCE vulnerability discovered by Trellix researchers. The bug affects almost 30 models of the manufacturer’s routers, which are used by small and medium-sized businesses.
The vulnerability received the identifier CVE-2022-32548 and the maximum severity rating on the CVSS scale – 10 points out of 10 possible. Initially, the problem was found in the Vigor 3910 routers, but it soon became clear that it affects other models using the same codebase.
The researchers decided to look for bugs in DrayTek products because of their popularity: after the widespread transition to remote work, they are widely used by small and medium-sized businesses, and searching through Shodan reveals more than 700,000 devices, most of which are located in the UK, Vietnam, the Netherlands and Australia.
An attacker does not need to know the credentials or interact with the user to exploit this vulnerability: the device’s default configuration makes it possible to attack both over the Internet and over a local network. The root of the problem is that the web management interface is suffering from a buffer overflow issue on the login page.
Hackers exploiting this vulnerability are potentially able to:
- take full control of the device;
- access information;
- set the stage for man-in-the-middle stealth attacks;
- change DNS settings;
- use the router as a DDoS bot and for mining operations;
- navigate to other devices connected to the hacked network.
At the same time, the attack is extremely simple and does not require serious preparation and effort. It is enough to enter a specially crafted pair of credentials (in the format of base64 encoded strings) into the login fields, and the vulnerability works.
The researchers say that at least 200,000 routers they have discovered are exposed to a vulnerable service over the Internet, which means they can be attacked without user interaction or any other special conditions. It is believed that among the remaining 500,000 routers, many can also be hacked literally in one click, but only through a local network, so the potential surface of such attacks is much smaller.
Trellix experts write that the following models are vulnerable to CVE-2022-32548:
- Vigor3910
- Vigor1000B
- Vigor2962 Series
- Vigor2927 Series
- Vigor2927 LTE Series
- Vigor2915 Series
- Vigor2952/2952P
- Vigor3220 Series
- Vigor2926 Series
- Vigor2926 LTE Series
- Vigor2862 Series
- Vigor2862 LTE Series
- Vigor2620 LTE Series
- VigorLTE 200n
- Vigor2133 Series
- Vigor2762 Series
- Vigor167
- Vigor130
- VigorNIC 132
- Vigor165
- Vigor166
- Vigor2135 Series
- Vigor2765 Series
- Vigor2766 Series
- Vigor2832
- Vigor2865 Series
- Vigor2865 LTE Series
- Vigor2866 Series
- Vigor2866 LTE Series
Fortunately, DreyTek developers have already released updates for all the routers mentioned above, so all users are strongly advised to update the firmware of their devices as soon as possible.