DrayTek Critical Vulnerability
A new DrayTek vulnerability filed under CVE-2022-32548 has been discovered which is affecting multiple DrayTek routers.
DrayTek Critical Vulnerability (CVE-2022-32548)
If you’re using a Draytek router within your business, you could be exposed to possible exploitation by hackers because of a new Critical Vulnerability which was announced on 3rd August 2022.
The vulnerable DrayTek devices are:
Vigor3910 < 220.127.116.11
Vigor1000B < 18.104.22.168
Vigor2962 Series < 22.214.171.124
Vigor2927 Series < 4.4.0
Vigor2927 LTE Series < 4.4.0
Vigor2915 Series < 126.96.36.199
Vigor2952 / 2952P < 188.8.131.52
Vigor3220 Series < 184.108.40.206
Vigor2926 Series < 220.127.116.11
Vigor2926 LTE Series < 18.104.22.168
Vigor2862 Series < 22.214.171.124
Vigor2862 LTE Series < 126.96.36.199
Vigor2620 LTE Series < 188.8.131.52
VigorLTE 200n < 184.108.40.206
Vigor2133 Series < 220.127.116.11
Vigor2762 Series < 18.104.22.168
Vigor167 < 5.1.1
Vigor130 < 3.8.5
VigorNIC 132 < 3.8.5
Vigor165 < 4.2.4
Vigor166 < 4.2.4
Vigor2135 Series < 4.4.2
Vigor2765 Series < 4.4.2
Vigor2766 Series < 4.4.2
Vigor2832 < 3.9.6
Vigor2865 Series < 4.4.0
Vigor2865 LTE Series < 4.4.0
Vigor2866 Series < 4.4.0
Vigor2866 LTE Series < 4.4.0
Here’s a video showing the exploitation of a Draytek 3910 router using this Critical Vulnerability.
What issues could be caused by this Critical Vulnerability of Draytek routers?
Draytek routers with this critical vulnerability could be exploited leading to these possible threats:
– Sensitive data that’s stored on the router being leaked (e.g. Passwords and keys)
– Access to the internal resources located on the LAN which would normally require a VPN access or to be on the same network.
– Man in the middle of network traffic
– Spying on DNS requests and other unencrypted traffic directed to the internet through the router.
– Packet capture of the data going through any port of the router.
– DDoS attacks to be performed
How to Detect the Attacks
Attempts of attacks can be detected by logging/alertig when a malformed base64 string is sent via a POST request to the /cgi-bin/wlogin.cgi end-point on the web management interface router. Malformed base64 strings indicative of an attack would have an abnormally high number of %3D padding. Any number over three should be considered suspicious.
How to Prevent and Protect your DrayTek Router from Attacks
We recomend the following to anyone who feels their DrayTek router is vulnerable or has been affected by the attacks.
– Make sure the latest firmware updates have been deployed onto the device. You see the latest updates, you can visit the DrayTek website.
– Within the management interface of the device, make sure that port mirroring, Authorised VPN access, DNS settings and any other relevant settings haven’t been messed around with or changed.
– Do not expose the management interface to the internet, unless fully required. If you do, make sure 2FA and IP restrication has been enabled to minimise the risk of any attacks.
– Change passwords of the devices that have been affected by attacks.
You can find more information about the new DrayTek Critical Vulnerability here.