DrayTek Routers Hit by Critical Vulnerabilities: A Wake-Up Call for Users

DrayTek Routers Hit by Critical Vulnerabilities: A Wake-Up Call for Users

In the ever-evolving landscape of cybersecurity, DrayTek routers are once again at the center of attention. Multiple high-severity vulnerabilities have been discovered across a range of DrayTek Vigor router models, posing significant risks to organizations and individuals alike. These vulnerabilities, disclosed in CVE-2020-8515, CVE-2021-20123, and CVE-2021-20124, have serious implications for remote code execution, unauthorized access to sensitive files, and even full system compromise.

CVE-2020-8515: Critical OS Command Injection Vulnerability

The most alarming of these vulnerabilities is CVE-2020-8515, which has received a CVSS score of 9.8, indicating an extreme risk to affected systems. This vulnerability resides in the cgi-bin/mainfunction.cgi URI of DrayTek routers, specifically targeting multiple Vigor models. It allows for an operating system command injection, a type of vulnerability where an attacker can inject malicious commands into the operating system, resulting in remote code execution with root privileges.

What makes this vulnerability so dangerous is its ability to be exploited remotely. A threat actor can craft a specially designed request to the vulnerable URI, using shell metacharacters to manipulate the command line of the operating system. Once exploited, this could allow attackers to gain full administrative control over the device, enabling them to install malware, exfiltrate sensitive data, or launch attacks on the network to which the router is connected.

This flaw, which affects routers used in both small businesses and large enterprise environments, underscores the need for constant vigilance in securing network hardware. Cybercriminals could easily exploit this vulnerability to compromise entire networks, and due to its high severity, it should be a top priority for organizations using DrayTek routers to address immediately.

CVE-2021-20123 and CVE-2021-20124: Local File Inclusion Vulnerabilities

In addition to the remote code execution flaw in CVE-2020-8515, DrayTek routers are also vulnerable to two local file inclusion (LFI) vulnerabilities — CVE-2021-20123 and CVE-2021-20124 — both scoring 7.5 on the CVSS scale. LFI vulnerabilities allow attackers to access and download sensitive files from the underlying operating system. In these cases, the flaws lie within DrayTek VigorConnect, the router's management software.

CVE-2021-20123 and CVE-2021-20124 both exploit weaknesses in the DownloadFileServlet and WebServlet endpoints, respectively. These endpoints are responsible for handling file downloads, but due to improper input validation, they allow an unauthenticated attacker to specify files on the system and download them. This could include sensitive configuration files, logs, or even executable files that contain critical data or credentials.

The risk posed by these vulnerabilities is significant. If an attacker can successfully exploit them, they can gain root access to the router’s underlying operating system, potentially exposing sensitive network information and administrative credentials. Once inside the system, an attacker could pivot across the network, escalate privileges, or deploy malware that could spread throughout the network undetected.

The Importance of Timely Patches

Given the severity of these vulnerabilities, it’s crucial for DrayTek router users to take immediate action to mitigate potential risks. DrayTek has acknowledged these vulnerabilities and released firmware updates to address them. Users are strongly encouraged to update their router firmware to the latest versions as soon as possible to patch these flaws.

In addition to updating the firmware, users should take the following steps:

• Restrict Remote Access: Disable remote management of the router unless absolutely necessary. If remote access is required, ensure that strong authentication methods like two-factor authentication (2FA) are used.

• Use Network Segmentation: Segregate critical network devices and servers from the general network to limit the damage an attacker could cause if they exploit the router vulnerabilities.

• Monitor Logs: Keep a close eye on router logs for any signs of suspicious activity, such as failed login attempts or unusual network traffic.

• Use Security Best Practices: Enforce the principle of least privilege on all devices, ensuring that administrative access is limited to trusted individuals only.

A Growing Trend of Router Exploits

The discovery of these vulnerabilities comes at a time when the security of networking hardware has become a focal point for cybersecurity experts. Routers are increasingly targeted by cybercriminals because they often serve as the entry points to larger networks, providing attackers with the opportunity to cause widespread damage. DrayTek routers, with their popularity in both small business and enterprise environments, have unfortunately become a prime target for such attacks.

DrayTek is not alone in facing these challenges. Other prominent router manufacturers have also dealt with similar vulnerabilities over the years. This growing trend highlights the importance of regular firmware updates and the need for robust security measures on all connected devices.

The Bottom Line: Protect Your Network

In conclusion, the vulnerabilities in DrayTek routers, particularly the CVE-2020-8515, CVE-2021-20123, and CVE-2021-20124, should serve as a wake-up call for users and administrators. While DrayTek has issued patches to resolve these flaws, it is essential for organizations and individuals to take a proactive stance in securing their devices.

Ignoring such vulnerabilities could lead to disastrous consequences, from unauthorized access to sensitive information to full system compromise. By staying vigilant, applying necessary updates, and following security best practices, users can minimize the risks posed by these critical vulnerabilities and maintain the integrity of their networks.

As always, the fight against cyber threats is ongoing, and timely action is key to staying one step ahead.