DrayTek Vigor Routers Remote Code Execucution Vulnerability: CVE-2022-32548
The Vulnerability Research team over at Trellix Threat Labs has identified an vulnerability affecting a number of DrayTek routers, commonly used by businesses in the UK.
It’s worth checking your comms cupboard to see if your model is affected, and take the appropriate steps below to safeguard your network from intruders.
Vulnerability monitoring & firmware updates are included in our Managed IT solutions.
CVE-2022-32548 affects multiple DrayTek routers
The attack can be performed without user interaction if the management interface of the device has been configured to be internet facing.
A one-click attack can also be performed from within the LAN in the default device configuration. The attack can lead to a full compromise of the device and may lead to a network breach and unauthorized access to internal resources.
All the affected models have a patched firmware available for download on the vendor’s website.
The vulnerable devices are as follow:
- Vigor3910 < 22.214.171.124
- Vigor1000B < 126.96.36.199
- Vigor2962 Series < 188.8.131.52
- Vigor2927 Series < 4.4.0
- Vigor2927 LTE Series < 4.4.0
- Vigor2915 Series < 184.108.40.206
- Vigor2952 / 2952P < 220.127.116.11
- Vigor3220 Series < 18.104.22.168
- Vigor2926 Series < 22.214.171.124
- Vigor2926 LTE Series < 126.96.36.199
- Vigor2862 Series < 188.8.131.52
- Vigor2862 LTE Series < 184.108.40.206
- Vigor2620 LTE Series < 220.127.116.11
- VigorLTE 200n < 18.104.22.168
- Vigor2133 Series < 22.214.171.124
- Vigor2762 Series < 126.96.36.199
- Vigor167 < 5.1.1
- Vigor130 < 3.8.5
- VigorNIC 132 < 3.8.5
- Vigor165 < 4.2.4
- Vigor166 < 4.2.4
- Vigor2135 Series < 4.4.2
- Vigor2765 Series < 4.4.2
- Vigor2766 Series < 4.4.2
- Vigor2832 < 3.9.6
- Vigor2865 Series < 4.4.0
- Vigor2865 LTE Series < 4.4.0
- Vigor2866 Series < 4.4.0
- Vigor2866 LTE Series < 4.4.0
What is the potential impact?
The compromise of your router can lead to the following outcomes:
- Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)
- Unauthorised access to the internal resources located on your local network, such as file shares and databases.
- Man in the middle of the network traffic
- Spying on DNS requests and other unencrypted traffic by users on your network
- Capture of the data going through any port of the compromised router
- Your network and resources being used to target other businesses and networks
Failed attempts to compromise your router could lead to unexpected reboots of your router and loss of internet connectivity and other forms of network disruption.
We provide the following recommendations to those potentially affected by a vulnerable DrayTek router:
Upgrade your device to the latest firmware, which you can find on DrayTek’s website.
Verify that no settings within the VPN Access, port mirroring and DNS and any other settings haven’t been tampered with.
Disable web access to the management inferface, unless absolutely nessecary, and enable MFA IP restrictions to minimise the risk of attack.
Change the password of affected devices and revoke any secret stored on the router that may have been leaked.