agcreativelab – stock.adobe.com
Network hardware supplier has fixed an unauthenticated RCE vulnerability in multiple routers in its Vigor line, after being alerted by Trellix researchers
- Alex Scroxton,Security Editor
Published: 03 Aug 2022 5: 00
Thousands of users of multiple DrayTek small and office at home (SOHO) routers have to patch their devices immediately following a disclosure of an unauthenticated remote code execution (RCE) vulnerability in the DrayTek Vigor 3910 and 28 other models that share exactly the same codebase.
The vulnerability, which includes been assigned CVE-2022-32548, was discovered by the Trellix (formerly McAfee and FireEye) Threat Labs Vulnerability Research team, and left unpatched, the resulting attack chain can be carried out without the user interaction if the devices management interface is left subjected to the web. An attacker may possibly also perform one-click attack from within the neighborhood area network (LAN) in the default device configuration.
Ultimately, the attack chain results in full compromise of these devices and unauthorised usage of internal resources, resulting in a variety of outcomes, up to data theft and ransomware deployment.
In accordance with data drawn from Shodan, there might be a lot more than 700,000 vulnerable devices in the open, and over 250,000 of these are located in the united kingdom. Trellix estimates that of the full total number, 200,000 are susceptible to the initial described attack, and more to the next.
Although disclosed vulnerabilities inside it hardware pitched firmly at the SOHO segment may not seem as immediately dangerous as something similar to Log4Shell or ProxyLogon, they could be in the same way impactful, particularly given the prevalence of remote working, which includes left many organisations, including large enterprises, more reliant on consumer IT than their security teams want. And in addition, malicious actors are smart to this.
Recently, the united states Cybersecurity and Infrastucture Security Agency (CISA) released an advisory detailing state-sponsored exploitation of SOHO routers by advanced persistent threat (APT) actors from the Chinese government and on the list of vulnerabilities on CISAs list was an earlier-disclosed bug in DrayTek kit.
Douglas McKee, principal engineer and head of vulnerability research at Trellix, said: How come another vulnerability in a SOHO router matter?
Because in 2019, 360Netlab Threat Detection System observed two different attack groups using two zero-day vulnerabilities targeting various DrayTek Vigor enterprise routers; because in March 2022, Barracuda reported smaller businesses are 3 x more prone to be targeted by cyber criminals than larger companies; because just last month, the ZuoRAT malware was observed infecting numerous SOHO router manufacturers, including Asus, Cisco, DrayTek and Netgear.
In a nutshell, it matters because major threat actors like China are dictating it matters. Edge devices themselves, such as for example routers and firewalls, are rather uninteresting, however the unit will be the gateway that protect the soft underbellies of companies.
McKee added: Once compromised, it’s the open doorway in to the rest of a network that’s enticing for the adversary to execute the same degree of research our team performs. A compromised edge device can result in intellectual property theft, sensitive customer or employee data loss, usage of camera feeds, the chance to simplify the deployment of ransomware and, in some instances, a foothold right into a network for a long time ahead.
Besides downloading and applying the patch, DrayTek users may decide to access their devices management interface to verify that port mirroring, DNS settings, authorised VPN access along with other relevant settings haven’t been fiddled with.
Users also needs to make certain the devices management interface isn’t exposed to the web unless essential in which particular case they ought to enable multifactor authentication and IP restriction, and change passwords on any affected devices.
Trellix acknowledged DrayTeks prompt and effective reaction to its disclosure, saying: We applaud DrayTek for his or her great responsiveness and the release of a patch significantly less than 30 days directly after we disclosed the vulnerability with their security team. This kind of responsiveness and relationship shows true organisation maturity and drive to boost security over the entire industry.
A complete set of the vulnerable router models, along with further technical information on the attack chain, can be acquired from Trellix.
Read more on Hackers and cybercrime prevention
Researchers find eight CVEs in single building access system
China using top consumer routers to hack Western comms networks
Private equity house spins SSE company out of McAfee Enterprise
By: SebastianKlovig Skelton
Over one-fifth of ransomware attacks target financial sector