A important, pre-authenticated distant code execution (RCE) vulnerability has cropped up within the extensively used line of DrayTek Vigor routers for smaller companies. If it is exploited, researchers warn that it might permit full gadget takeover, together with entry to the broader community.
The bug (tracked as CVE-2022-32548) carries the very best vulnerability-severity rating on the CVSS scale: 10 out of 10. That is no shock provided that not solely is it a pre-authentication RCE, however attackers might exploit it to compromise a tool with out social engineering or consumer interplay, based on a vulnerability disclosure out right now from Trellix.
DrayTek routers are sometimes utilized by small and midsize (SMBs) to offer VPN entry to staff — an rising want given the mass migration of employees to work-from-home conditions because the pandemic began. They’re extensively deployed, together with within the US, all through Asia and Europe, and particularly within the UK.
The zero-click assault is feasible if the gadget’s administration interface is configured to be Web-facing, based on Trellix (a Shodan search confirmed that about 200,000 routers have interfaces open to the Web). However even when it isn’t, a one-click assault can be doable, which might require entry to the LAN.
Patch Now: SMBs within the Crosshairs
To date, there aren’t any indicators of exploitation, however because the bug is now disclosed, that is more likely to change, so directors ought to apply their device-specific firmware updates instantly.
DrayTek routers are firmly within the sights of cybercriminals, with the US Cybersecurity and Infrastructure Safety Company (CISA) going as far as to difficulty a warning to that impact final June. In reality, DrayTek RCE bugs are among the many hottest utilized by Chinese language state-sponsored attackers, the company famous, who’re utilizing them to go after SMBs in a development that is been evident since 2020.
Lumen additionally revealed an advisory in June on ZuoRAT exploiting a bug within the Vigor 3900, an end-of-life gadget with a big put in base amongst small-office/home-office (SOHO) customers.
It might appear counter-intuitive for superior persistent threats (APTs) to be going after small fish, however Trellix factors out that in 2020, the US Small Enterprise Administration reported that there are 6 million small companies with fewer than 500 staff within the nation, in contrast with simply 20,000 massive companies.
“Whereas we could neglect about this large assault floor, our adversaries haven’t,” the Trellix researchers observe. “It’s crucial to grasp you’re a goal irrespective of the scale or kind of enterprise. Knowledge continues to exhibit that not solely is that this house a goal however typically a extra seemingly goal. It’s important for SOHO and SMB customers to grasp their networks, keep replace thus far on all vendor patches and instantly report breeches to regulation enforcement.”
Certainly, Barracuda Networks in March revealed a report that discovered that small companies are thrice extra more likely to be focused by cybercriminals than their bigger counterparts.
Dangerous Outcomes: Full System Compromise
Within the case of the brand new bug, an assault can result in a bunch of game-changing outcomes for SMBs, based on the researchers — in some circumstances, company-ending outcomes.
These embody the theft of delicate knowledge saved on the router, similar to keys and administrative passwords that might be used to pivot additional into the community to ship ransomware or different malware. Espionage-minded attackers might additionally achieve entry to the interior sources situated on the LAN that might usually require VPN entry; launch man-in-the-middle (MitM) assaults to spy on DNS requests and different unencrypted visitors flowing from customers via the router; and attaining packet seize of the info going via any port of the router. Different kinds of assaults embody including the gadget to a botnet for distributed denial-of-service (DDoS) or cryptomining functions.
Even failed exploitation makes an attempt may be problematic, based on Trellix, ensuing within the gadget rebooting or a DoS situation that might lock out customers from accessing firm sources on the LAN.
Below the Hood with CVE-2022-32548
The RCE bug particularly impacts the Vigor 3910 and 28 different DrayTek fashions sharing the identical codebase (an inventory is included within the Trellix advisory). The researchers observe that it stems from a buffer overflow within the login web page for the gadgets’ Internet administration interface (/cgi-bin/wlogin.cgi).
“An attacker may provide a rigorously crafted username and/or password as base64 encoded strings contained in the fields aa and ab of the login web page,” based on the write-up. “This might trigger the buffer overflow to set off as a consequence of a logic bug within the dimension verification of those encoded strings.”
As proven in a proof-of-concept (PoC) exploit video, attackers can then take over of the DrayOS working system that implements the router functionalities.
“On gadgets which have an underlying Linux working system (such because the Vigor 3910) it’s then doable to pivot to the underlying working system and set up a dependable foothold on the gadget and native community,” the researchers clarify. “Units which are operating the DrayOS as a bare-metal working system might be tougher to compromise because it requires that an attacker has higher understanding of the DrayOS internals.”
Learn how to Defend Towards SMB/SOHO Router Assaults
For companies utilizing DrayTek routers, safety from assault begins with patching and ensuring the firmware is all the time updated.
Past that, Trellix researchers advocate that admins ought to by no means expose the administration interface to the Web until completely required; and whether it is, they need to implement two-factor authentication (2FA) and IP restrictions to attenuate danger.
As soon as the patch is utilized admins must also confirm that port mirroring, DNS settings, licensed VPN entry, and some other related settings haven’t been tampered with within the administration interface. And they need to change the password of the gadgets and revoke any secret saved on the router that will have been accessed previous to patching.
For these firms that may’t patch straight away, Trellix researchers say that monitoring for compromise needs to be a precedence.
“Exploitation makes an attempt may be detected by logging/alerting when a malformed base64 string is distributed through a POST request to the /cgi-bin/wlogin.cgi end-point on the net administration interface router,” they observe. “Base64 encoded strings are anticipated to be discovered within the aa and ab fields of the POST request. Malformed base64 strings indicative of an assault would have an abnormally excessive variety of %3D padding. Any quantity over three needs to be thought of suspicious.”
