DrayTek Router Vulnerability: Entire Device takeover vulnerability discovered putting SMEs at risk.

By Mark Bartley
August 5, 2022
Image of DrayTek Vigor 2927 effected by DrayTek Router Vulnerability

This week a serious DrayTek router vulnerability was exposed by researches at Trellix. Clocking in a mightily risky 10.0 score, unfortunately this vulnerability isn't as impressive as a Tom Daley 10m high dive scoring a perfect 10. Instead, it actually means this security risk is classed as critical, meaning it's an issue you should be dealing with urgently if you use the effected models within your WiFi network.

DrayTek routers have been growing in popularity due to their convenient size for small and midsize businesses (SMBs) who need to provide VPN access to employees.

Since the pandemic started, the need for DrayTek routers has increased with the mass migration of workers to work-from-home situations.

They are widely deployed throughout Asia and Europe, especially in the UK, and are known for being user-friendly and reliable.

Critical RCE DrayTek Router vulnerability impacts 29 models of Vigor routers

Over 200,000 routers made by DrayTek are subject to a severe vulnerability, which could open companies up to network breaches.

If this vulnerability is exploited, it can lead to the complete compromise of the devices and unauthorised access to the broader network.

It is an issue that needs to be addressed quickly.

Many models of DrayTek routers have been identified as vulnerable to a new critical remote code execution vulnerability.

The DrayTek Vigor 3910 is a complete compromise by threat actors and is particularly at risk if it has an internet-facing management interface.

Researchers from cybersecurity firm Trellix identified the vulnerability within the model in a blog post and within 28 other devices from DrayTek that share the same code base.

They stressed that, at present, there are no examples of threat actors in the wild using vulnerability. We must also say how impressive DrayTek has handled the vulnerability, as they've already released a firmware patch to correct the issue, however, you'll need to update your firmware to make sure you're up to date and secure.

Cybercriminal Activities Exploiting DrayTek

Two different groups of cybercriminals have been exploiting previously unknown vulnerabilities in DrayTek routers, load balancers, and VPN gateways since December 2019. These vulnerabilities also affected Vigor devices.

The cyber criminals were able to inject commands remotely, and the attacks continued until March 2020, when DrayTek released a patch for the two zero-day vulnerabilities.

Attackers can target routers through their LAN or, if the management interface is configured to be internet-facing, remotely over the internet.

Attackers that successfully exploit a vulnerability can take over the device, run code, and access internal resources.

It allows them to access sensitive data such as passwords and keys on the router, snoop on DNS requests and other unencrypted traffic, capture packets, and conduct man-in-the-middle and DDoS attacks.

To keep your devices secure, researchers recommend a few key things:

  • Make sure that your firmware is always up to date.
  • If possible, try to keep the management interface from being exposed to the internet.
  • Change the password to any affected devices as soon as possible.

Following these recommendations can help keep your devices safe and secure.

How do SMEs Protect Against Router Attacks?

Small to medium-sized enterprises (SMEs) must not take lightly the importance of their data and intellectual property (IP) or the likelihood that their edge devices could be used as part of a botnet attack. Furthermore, SMBs also risk becoming a steppingstone for attackers wanting to infiltrate their customers' networks.

To protect your business with DrayTek routers, always keep the firmware patched and up to date. Additionally, researchers from Trellix suggest that you should never expose the management interface to the internet unless it is required.

If you must, then be sure to use two-factor authentication and IP restrictions.

Also, once you apply a patch, check that port mirroring, DNS settings, authorised VPN access, and other relevant settings have not tampered with the management interface.

We’re here to help

We understand that cyber security is complex and overwhelming. If you need support in updating your WiFi network hardware’s firmware or you want to run a security audit on your existing network, get in touch with Haptic today.

vigor3910

Full list of vulnerable devices

  • Vigor3910
  • Vigor1000B
  • Vigor2962 Series
  • Vigor2927 Series
  • Vigor2927 LTE Series
  • Vigor2915 Series
  • Vigor2952 / 2952P
  • Vigor3220 Series
  • Vigor2926 Series
  • Vigor2926 LTE Series
  • Vigor2862 Series
  • Vigor2862 LTE Series
  • Vigor2620 LTE Series
  • VigorLTE 200n
  • Vigor2133 Series
  • Vigor2762 Series
  • Vigor167
  • Vigor130
  • VigorNIC 132
  • Vigor165
  • Vigor166
  • Vigor2135 Series
  • Vigor2765 Series
  • Vigor2766 Series
  • Vigor2832
  • Vigor2865 Series
  • Vigor2865 LTE Series
  • Vigor2866 Series
  • Vigor2866 LTE Series
Mark Bartley
chevron-down