CERT-In Advisory
CIAD-2024-0048
Multiple Vulnerabilities in DrayTek Routers
Original Issue Date: October 10, 2024
Severity Rating: High
Systems Affected
- DrayTek Vigor1000B, Vigor2962, Vigor3910 prior to version 4.3.2.8 and 4.4.3.1
- DrayTek Vigor3912 prior to version 4.3.6.1
- DrayTek Vigor165, Vigor166 prior to version 4.2.7.
- DrayTek Vigor2135, Vigor2763, Vigor2765, Vigor2766, Vigor2915 prior to version 4.4.5.3.
- DrayTek Vigor2865, Vigor2866 prior to version 4.4.5.2.
- DrayTek Vigor2620, VigorLTE200 prior to version 3.9.8.9.
- DrayTek Vigor2133, Vigor2762, Vigor2832 prior to version 3.9.9.
- DrayTek Vigor2860, Vigor2925 prior to version 3.9.8.
- DrayTek Vigor2862, Vigor2926 prior to version 3.9.9.5.
- DrayTek Vigor2952, Vigor3220 prior to version 3.9.8.2.
Overview
Multiple vulnerabilities have been reported in DrayTek routers, which could allow an attacker to launch cross-site scripting (XSS) attacks, execute arbitrary code remotely, access sensitive information, and achieve complete system compromise of the targeted systems.
Description
These vulnerabilities exist in multiple components of DrayTek routers due to Insufficient input validation, improper handling of query string parameters, weak credential management, lack of binary hardening, static PRNG seeding, missing boundary checks and lack of secure-by-design principles.
Successful exploitation of these vulnerabilities could allow an attacker to launch cross-site scripting (XSS) attacks, execute arbitrary code remotely, access sensitive information, and achieve complete system compromise of the targeted systems.
Solution
Users are advised to apply appropriate updates and mitigation measures as per the below advisory.
https://www.forescout.com/resources/draybreak-draytek-research/
References
Forescout
https://www.forescout.com/resources/draybreak-draytek-research/
DayTrek
https://www.draytek.com/support/resources/routers#version
CVE Name
CVE-2024-41589
CVE-2024-41591
CVE-2024-41587
CVE-2024-41583
CVE-2024-41584
CVE-2024-41592
CVE-2024-41585
CVE-2024-41588
CVE-2024-41590
CVE-2024-41586
CVE-2024-41596
CVE-2024-41593
CVE-2024-41595
CVE-2024-41594
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-22902657
Postal address
Indian Computer Emergency Response Team (CERT-In) Ministry of Electronics and Information Technology Government of India Electronics Niketan 6, CGO Complex, Lodhi Road, New Delhi - 110 003 India
|