Several small office and home office (SOHO) router models from Taiwanese manufacturer DrayTek have been found vulnerable to CVE-2022-32548, a critical vulnerability that allows unauthenticated remote code execution. Researchers at Trellix said the vulnerability could also enable one-click attacks.
The critical vulnerability, assigned CVE-2022-32548 and scoring ten on ten as per the Common Vulnerability Scoring System (CVSS), resides in nearly two and a half dozen different Vigor broadband router models from DrayTek, a Taiwanese networking equipment manufacturer. It was first discovered by security firm Trellix when it assessed Vigor 3910, the company’s flagship product.
The firm subsequently found that 28 other Vigor routers with a similar codebase were also vulnerable to the exploitation of CVE-2022-32548.
CVE-2022-32548 could prove to be a dangerous flaw if left unpatched, considering it requires “no user interaction to be exploited. Many more devices where the affected service is not exposed externally are still vulnerable to a one-click attack from the LAN,†the researchers said.
Successful exploitation can allow a threat actor to take over the vulnerable device, arbitrarily execute code, and access internal resources. Consequently, the attacker can access sensitive data such as keys and administrative passwords on the router, snoop on DNS requests and other unencrypted traffic, capture incoming and outgoing packet data, and conduct man-in-the-middle and DDoS attacks.
A quick search on Shodan, the search engine for internet-connected servers and devices, results in 765,161 hits for DrayTek SSL, more than a third of which were in Great Britain. The top ten countries with the highest number of vulnerable DrayTek Vigor routers currently connected to the internet are:
Source: ShodanOpens a new window
See More: Six Vulnerabilities in a Popular GPS Device Threaten Millions of Users
Trellix has no evidence to confirm that the vulnerability has been exploited in-the-wild. However, users of the vulnerable models should keep an eye out for device reboot, denial of service, and other out-of-the-ordinary behavior.
Mitigation of CVE-2022-32548 requires updating the affected models (listed below alongside vulnerable firmware versions) with respective patches released by DrayTek.
|
DrayTek Vigor Routers Vulnerable to CVE-2022-32548 |
||
|
Vigor3910 < 4.3.1.1 |
Vigor2862 Serie-s < 3.9.8.1 | Vigor166 < 4.2.4 |
| Vigor1000B < 4.3.1.1 | Vigor2862 LTE Series < 3.9.8.1 |
Vigor2135 Series < 4.4.2 |
|
Vigor2962 Series < 4.3.1.1 |
Vigor2620 LTE Series < 3.9.8.1 | Vigor2765 Series < 4.4.2 |
| Vigor2927 Series < 4.4.0 | VigorLTE 200n < 3.9.8.1 |
Vigor2766 Series < 4.4.2 |
|
Vigor2927 LTE Series < 4.4.0 |
Vigor2133 Series < 3.9.6.4 | Vigor2832 < 3.9.6 |
| Vigor2915 Series < 4.3.3.2 | Vigor2762 Series < 3.9.6.4 |
Vigor2865 Series < 4.4.0 |
|
Vigor2952 / 2952P < 3.9.7.2 |
Vigor167 < 5.1.1 | Vigor2865 LTE Series < 4.4.0 |
| Vigor3220 Series < 3.9.7.2 | Vigor130 < 3.8.5 |
Vigor2866 Series < 4.4.0 |
|
Vigor2926 Series < 3.9.8.1 |
VigorNIC 132 < 3.8.5 | Vigor2866 LTE Series < 4.4.0 |
| Vigor2926 LTE Series < 3.9.8.1 | Vigor165 < 4.2.4 |
DrayTek routers, load balancers, and VPN gateways have previously been under exploitation by two separate threat groups using two different zero-day vulnerabilities starting December 2019. The exploitation of these vulnerabilities, which also existed on Vigor devices, allowed remote command injection and continued at least until March 2020. A patch for both zero-day bugsOpens a new window was released in February 2020.
Technical details of CVE-2022-32548 are available hereOpens a new window .
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!