Forescout Uncovers 14 Vulnerabilities in DrayTek Routers Leading Multiple Cyber Attacks

On October 2nd, 2024, Security researchers from Forescout Vedere Labs have uncovered a series of 14 vulnerabilities affecting various models of DrayTek routers, collectively dubbed DRAY:BREAK. These high-severity flaws could allow unauthenticated remote attackers to execute arbitrary commands with root privileges, cause denial of service (DoS) conditions, or perform cross-site scripting (XSS) attacks on vulnerable devices.

With over 704,000 DrayTek routers exposed online across 168 countries, these vulnerabilities pose a substantial risk to businesses and residential users alike. If left unpatched, they could enable espionage, data exfiltration, ransomware attacks, or denial-of-service (DoS) conditions, leading to severe operational disruptions and security breaches.

The vulnerabilities stem from improper input validation, buffer overflows, and other coding issues in the web-based management interface and underlying operating system of affected DrayTek routers. An attacker could exploit these flaws by sending specially crafted HTTP requests or malicious payloads to a vulnerable device.

With CVSS scores ranging from 4.9 to 10.0, these vulnerabilities pose a significant risk to organizations and individuals using the impacted DrayTek router models. Unlike some previous router vulnerabilities, patches are available for most affected devices, including some end-of-life models.

In this article, we'll examine the details of these critical vulnerabilities in DrayTek routers, analyze their potential impact, and discuss mitigation strategies for organizations and users of these popular networking devices.

Overview of DrayTek Routers

DrayTek Corporation, founded in 1997 in Taiwan, has established itself as a prominent player in the networking equipment industry. The company specializes in developing and manufacturing a wide range of networking devices, with a particular focus on routers, firewalls, and VPN solutions. DrayTek's product lineup caters primarily to small to medium-sized businesses (SMBs), home offices, and tech-savvy consumers looking for advanced networking capabilities.

DrayTek devices run a proprietary operating system called DrayOS. While marketed as "backdoor-free", recent vulnerability disclosures highlight significant security issues in this OS and its web management interface.

Summary of DRAY:BREAK Vulnerabilities

The research team identified 14 critical vulnerabilities affecting various models of DrayTek routers, which could be exploited for a range of malicious activities, from complete system compromise to service disruptions. The vulnerabilities include multiple cross-site scripting (XSS) flaws, buffer overflows, and OS command injection vulnerabilities. The most critical vulnerabilities, CVE-2024-41585 and CVE-2024-41592, are rated with severity scores of 9.1 and 10, respectively, posing the highest risk to affected devices.

The research revealed that:

These vulnerabilities arise due to improper input validation, inadequate memory handling, and insufficient access control mechanisms. Exploiting them could allow attackers to inject malicious code, gain unauthorized access, disrupt network services, and potentially launch further attacks on connected devices.

This table summarizes the 14 vulnerabilities, their severity scores, and potential impacts. Let's understand some of the most critical issues with a little more detail:

1 . Buffer Overflow Vulnerabilities

CVE-2024-41592 (CVSS 10.0): Critical Query String Parsing Flaw

This vulnerability is the most severe, affecting the web UI's query string parsing functionality. The flaw exists in the GetCGI() function.

The code lacks proper bounds checking when processing query string parameters. An attacker can exploit this by sending a request with numerous '&' characters, overflowing the a2 buffer on the stack. This could lead to overwriting the return address and achieving arbitrary code execution.

CVE-2024-41588 and CVE-2024-41590 (CVSS 7.2): Multiple CGI Page Vulnerabilities

These vulnerabilities affect various CGI pages, including '/cgi-bin/v2x00.cgi' and '/cgi-bin/cgiwcg.cgi'. The issues stem from improper use of functions like strncpy() without adequate length checks. This pattern can lead to buffer overflows if the source string is longer than the destination buffer.

2 . OS Command Injection

CVE-2024-41585 (CVSS 9.1): recvCmd Binary Vulnerability

This critical flaw affects the recvCmd binary, which facilitates communication between the guest OS (DrayOS) and the host OS. The vulnerable code constructs and executes system commands.

While intended to restrict commands to a predefined set, insufficient input sanitization allows arbitrary command execution. An attacker who compromises the guest OS could leverage this to execute commands on the host with root privileges.

3 . Cross-Site Scripting (XSS) Vulnerabilities

Multiple XSS vulnerabilities were discovered, including both stored and reflected variants:

CVE-2024-41587 (CVSS 4.9): Stored XSS in Custom Greeting

This vulnerability allows injecting JavaScript into a custom login greeting message. The flawed input sanitization only checks for the "<script>" tag.

This can be easily bypassed using alternative methods to execute JavaScript, such as event handlers on HTML elements.

CVE-2024-41591 (CVSS 7.5): Reflected XSS in Web UI

This vulnerability exists in the 'doc/hslogp1_link.htm' page of the Web UI. It accepts HTML code via the "content" query string parameter and reflects it without proper sanitization.

An attacker could craft a malicious URL to execute arbitrary JavaScript in the victim's browser context.

4 . Cryptographic Issues

CVE-2024-41594 (CVSS 7.6): Weak PRNG Seeding

The web server backend uses a static string to seed the pseudorandom number generator (PRNG) for SSL/TLS operations.

This predictable seeding could allow attackers to guess session keys and potentially perform man-in-the-middle attacks against encrypted communications.

5 . Privilege Escalation

CVE-2024-41589 (CVSS 7.5): Credential Reuse

This vulnerability stems from a design flaw where the same administrative credentials are used across both the guest and host operating systems. If an attacker compromises the guest OS (DrayOS), they can use the same credentials to access the host system, potentially leading to full system compromise.

6 . Denial of Service

CVE-2024-41593 (CVSS 7.2): Heap Buffer Overflow

A heap-based buffer overflow exists in the ft_payload_dns() function.

The use of a signed char for var_len can lead to integer overflow and subsequent large memory writes, potentially corrupting critical data structures and causing device instability or crashes.

Exploitation Techniques

Researchers demonstrated a proof-of-concept exploit chain combining CVE-2024-41592 and CVE-2024-41585:

This exploit chain requires no user interaction and can be fully automated, highlighting the severe risk posed by these vulnerabilities if left unpatched.

Global Impact Of DRAY:BREAK Vulnerabilities

The DRAY:BREAK vulnerabilities have a potentially massive impact due to the widespread deployment of affected DrayTek routers. Key findings from the researchers' analysis include:

This chart illustrates the geographic distribution of vulnerable DrayTek routers, with the UK, Vietnam, and the Netherlands being the most affected countries.

Products Affected by DRAY:BREAK Vulnerabilities

As of the latest reports, 24 distinct DrayTek device models are affected by the DRAY:BREAK vulnerabilities. These models span various product lines and target different market segments, from small office/home office (SOHO) routers to enterprise-grade devices.

How to Protect Your DrayTek Devices from DRAY:BREAK Vulnerabilities?

Protecting your DrayTek devices from the DRAY:BREAK vulnerabilities requires a multi-faceted approach. Start by conducting a thorough inventory of all your DrayTek routers, identifying affected models and their current firmware versions. For supported devices, immediately download and apply the latest firmware updates from the official DrayTek website, ensuring you back up configurations before updating. Verify the success of updates by checking the new firmware version in the device's web interface.

For end-of-life devices, consider replacement with supported models or apply any available partial updates while implementing additional security measures:

By implementing these comprehensive measures, you can significantly mitigate the risks posed by the DRAY:BREAK vulnerabilities and strengthen your overall network security.

Conclusion

The DRAY:BREAK vulnerabilities in DrayTek routers pose a serious risk to organizations and individuals using the affected models. Given the critical nature of these flaws, it is essential to take immediate measures to mitigate the vulnerabilities. We recommend regularly checking the DrayTek Security Advisories page for updates and new firmware releases.

For more information on these vulnerabilities and the patching process, visit the official DrayTek security advisory. Stay vigilant and ensure that your DrayTek router environment is secured against these critical vulnerabilities.

We hope this post helps you learn about the details of the DRAY:BREAK vulnerabilities in DrayTek routers, their technical details, potential impact, affected models, and most importantly - how to protect your DrayTek devices from the DRAY:BREAK vulnerabilities. Stay secure, stay updated, and continue to prioritize the safety of your network and data. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.

You may also like these articles: