vulnerabilities in DrayTek routers
Last week Forescout published a detailed
about the discovery of 14 vulnerabilities in routers from the Taiwanese company DrayTek, which are usually used in corporate environments. One of the vulnerabilities has a maximum rating of 10 points on the CVSS v3 scale and can lead to the execution of arbitrary code.
In total, 24 models of routers from this manufacturer are vulnerable to vulnerabilities, of which 11 are no longer officially supported by the manufacturer. However, despite this, firmware updates that eliminate the vulnerabilities have been released for all affected devices and are available on website manufacturer. In outdated routers, only one, the most dangerous, vulnerability was closed.
A vulnerability with a ten-point rating has an identifier CVE-2024-41592 and refers to the GetCGI() function of the web interface. This is a buffer overflow issue when processing data from the client. Exploiting vulnerabilities of this kind is either impossible or difficult if the router's web interface is accessible only from the local network. The Forescout report provides revealing statistics: the web interface of more than 700 thousand DrayTek devices is still accessible from the Internet.
Researchers analyzed in detail the firmware versions of these devices available to everyone and found a wide variety: a total of 686 unique software versions. The most popular (installed on 8.5% of devices) firmware is quite ancient, released in 2018. The latest firmware at the time of the study was installed on only 3% of devices. This very interesting statistic also takes into account the device manufacturer’s support status: almost half (43%) of routers accessible from the Internet and, accordingly, actively used have end of life status.
In addition to the CVE-2024-41592 vulnerability, six more problems were discovered in the web interface code. All of them have a CVSS rating of 7.2 and are capable of leading to a denial of service in the “best” case, and in the worst case they can also be used to execute arbitrary code and take over control of the router. Less dangerous vulnerabilities are of the XSS type.
Of the 24 affected routers, two thirds are for small and medium businesses. The list also contains one model for large organizations, in which vulnerabilities in the virtualization system were discovered. Affected models include DrayTek Vigor1000B, Vigor2962, Vigor3912 and others. The 3912 is a prime example of how dangerous compromise of a device can be: this “router” is more accurately called a server with support for a 10-gigabit network connection, with a powerful processor and an optional built-in SSD. Potentially, such a hacked device could be used not only to monitor network traffic and further develop an attack on a local network, but also act as a command and control server for carrying out other cyber attacks.
The Forescout report also provides data on previously discovered vulnerabilities in DrayTek routers, which allows you to estimate both the frequency of detection of problems and their overall number. From 2020 to 2023, 18 vulnerabilities were found in the company’s devices, potentially leading to the interception of control over the device; 14 of them have a rating close to the maximum of 9.8 points out of 10 possible, which indicates the easiest operating scenario.
What else happened
Kaspersky Lab publishes another report about the most popular trackers on the network based on statistics collected from July 2023 to June 2024. Trackers refer to a range of technologies for tracking user activity, from “invisible pixels” to cookies. The top most widely represented services that track user activity include Google, Amazon, Criteo, and YouTube trackers. A relative newcomer to the ranking is the service of New Relic. In the CIS countries, Yandex Metrica and Mail.ru are also among the leaders.
Cloudflare Company reported on preventing a record DDoS attack with a peak power of 3.8 terabits per second.
In the latest update of iOS and iPadOS mobile operating systems to version 18.0.1, Apple closed an unpleasant bug in which the voice assistant that reads the contents of the screen could also recite user passwords out loud.
Extremely unpleasant bug hit to update the firmware of a number of new Samsung smartphones, including the Galaxy S10, Note 10 and A90 models. After installing the update, in some cases, smartphones went into a cyclic reboot. The problem was solved exclusively by resetting the phone to factory settings using the recovery menu. But there was no way to retrieve the data before the hard reset.
