[German]Brief note for administrators and users who may be deploying Vigor routers in their environment. Security researchers have come across a critical Remote Code Execution vulnerability (RCE) that allows attackers to take over the router. DrayTek has provided a corresponding firmware update to close the vulnerability.
Advertising
DrayTek is a Taiwanese manufacturer of networking solutions, ranging from enterprise-level firewalls, to mission-critical VPN solutions for small and medium-sized businesses, to xDSL and broadband subscriber terminals for home users.
DrayTek products on Shodan.io
The search engine Shodan shows me worldwide installations of the products of this vendor, there should be some routers among them. The listing here shows Great Britain has a big user base.
RCE vulnerability CVE-2022-32548
Security researchers from Trellix have come across this vulnerability, which probably exists in a number of Vigor router models, and published this on August 3, 2022 in the post Unauthenticated Remote Code Execution in a Wide Range of DrayTek Vigor Routers. The Trellix Threat Labs Vulnerability Research Team found a vulnerability that allows remote code execution (RCE) without further authentication.
Advertising
Vulnerability CVE-2022-32548 affects multiple DrayTek router models and allows an attack without user interaction if the device's management interface is configured to be accessible via the Internet (the old problem). In addition, a one-click attack can also be performed inside the LAN in the default configuration of the device. The attack can lead to a complete compromise of the device, the security researchers write. Attackers thus gained access to the network and could perform unauthorized access to internal resources. Here is the list of identified devices along with firmware version that is vulnerable.
Vigor3910 < 4.3.1.1
Vigor1000B < 4.3.1.1
Vigor2962 Series < 4.3.1.1
Vigor2927 Series < 4.4.0
Vigor2927 LTE Series < 4.4.0
Vigor2915 Series < 4.3.3.2
Vigor2952 / 2952P < 3.9.7.2
Vigor3220 Series < 3.9.7.2
Vigor2926 Series < 3.9.8.1
Vigor2926 LTE Series < 3.9.8.1
Vigor2862 Series < 3.9.8.1
Vigor2862 LTE Series < 3.9.8.1
Vigor2620 LTE Series < 3.9.8.1
VigorLTE 200n < 3.9.8.1
Vigor2133 Series < 3.9.6.4
Vigor2762 Series < 3.9.6.4
Vigor167 < 5.1.1
Vigor130 < 3.8.5
VigorNIC 132 < 3.8.5
Vigor165 < 4.2.4
Vigor166 < 4.2.4
Vigor2135 Series < 4.4.2
Vigor2765 Series < 4.4.2
Vigor2766 Series < 4.4.2
Vigor2832 < 3.9.6
Vigor2865 Series < 4.4.0
Vigor2865 LTE Series < 4.4.0
Vigor2866 Series < 4.4.0
Vigor2866 LTE Series < 4.4.0
A patched firmware is available for download on the manufacturer's website for all affected models. Trellix Threat Labs is currently not aware of any signs of this vulnerability being exploited. However, DrayTek devices have recently been attacked by various known malicious actors, the security researchers write. More details can be read here. (via)
