DrayTek Critical Vulnerability
A new DrayTek vulnerability filed under CVE-2022-32548 has been discovered which is affecting multiple DrayTek routers.
DrayTek Critical Vulnerability (CVE-2022-32548)
If you’re using a Draytek router within your business, you could be exposed to possible exploitation by hackers because of a new Critical Vulnerability which was announced on 3rd August 2022.
The vulnerable DrayTek devices are:
Vigor3910 < 4.3.1.1
Vigor1000B < 4.3.1.1
Vigor2962 Series < 4.3.1.1
Vigor2927 Series < 4.4.0
Vigor2927 LTE Series < 4.4.0
Vigor2915 Series < 4.3.3.2
Vigor2952 / 2952P < 3.9.7.2
Vigor3220 Series < 3.9.7.2
Vigor2926 Series < 3.9.8.1
Vigor2926 LTE Series < 3.9.8.1
Vigor2862 Series < 3.9.8.1
Vigor2862 LTE Series < 3.9.8.1
Vigor2620 LTE Series < 3.9.8.1
VigorLTE 200n < 3.9.8.1
Vigor2133 Series < 3.9.6.4
Vigor2762 Series < 3.9.6.4
Vigor167 < 5.1.1
Vigor130 < 3.8.5
VigorNIC 132 < 3.8.5
Vigor165 < 4.2.4
Vigor166 < 4.2.4
Vigor2135 Series < 4.4.2
Vigor2765 Series < 4.4.2
Vigor2766 Series < 4.4.2
Vigor2832 < 3.9.6
Vigor2865 Series < 4.4.0
Vigor2865 LTE Series < 4.4.0
Vigor2866 Series < 4.4.0
Vigor2866 LTE Series < 4.4.0
Looking at Shodan, you can see that over 270,000 DrayTek devices are visible to the internet in the UK alone, meaning all of these are at some risk of being compromised if not updated.
Here’s a video showing the exploitation of a Draytek 3910 router using this Critical Vulnerability.
What issues could be caused by this Critical Vulnerability of Draytek routers?
Draytek routers with this critical vulnerability could be exploited leading to these possible threats:
– Sensitive data that’s stored on the router being leaked (e.g. Passwords and keys)
– Access to the internal resources located on the LAN which would normally require a VPN access or to be on the same network.
– Man in the middle of network traffic
– Spying on DNS requests and other unencrypted traffic directed to the internet through the router.
– Packet capture of the data going through any port of the router.
– DDoS attacks to be performed
How to Detect the Attacks
Attempts of attacks can be detected by logging/alertig when a malformed base64 string is sent via a POST request to the /cgi-bin/wlogin.cgi end-point on the web management interface router. Malformed base64 strings indicative of an attack would have an abnormally high number of %3D padding. Any number over three should be considered suspicious.
How to Prevent and Protect your DrayTek Router from Attacks
We recomend the following to anyone who feels their DrayTek router is vulnerable or has been affected by the attacks.
– Make sure the latest firmware updates have been deployed onto the device. You see the latest updates, you can visit the DrayTek website.
– Within the management interface of the device, make sure that port mirroring, Authorised VPN access, DNS settings and any other relevant settings haven’t been messed around with or changed.
– Do not expose the management interface to the internet, unless fully required. If you do, make sure 2FA and IP restrication has been enabled to minimise the risk of any attacks.
– Change passwords of the devices that have been affected by attacks.
You can find more information about the new DrayTek Critical Vulnerability here.
-
Reformed IT have been beyond brilliant with helping us improve our current IT infrastructure and security. The services that they provide has taken enormous pressure off our internal … More IT team. They are always keen on sharing their knowledge and skills and always go above and beyond. I can’t recommend them highly enough. - Absolutely brilliant service! Friendly, knowledgeable and really helpful without making me feel stupid for not understanding IT wizardry!
- Great service so far what with me being a new starter, & I've heard really positive things about Reformed IT from many of my colleagues, so I have no doubt this great service … More will continue!
- Reformed IT always provide excellent service and support. Since working for Walton and Allen the team have always been fast to resolve any IT issues I have had. Thank you for all of … More your help 🙂
