A critical Remote Code Execution (RCE) has been found affecting multiple DrayTek routers classified under CVE-2022-32548. If the device interface has been set such that it faces traffic directly from the internet, the attack could happen without any user interaction. Also, full compromise of the device is possible due to an attack and also attackers can get unauthorized access to internal resources. A patch has already been released for its firmware and is available for download for all the supporting devices.
About Vigor Routers and vulnerability
DrayTek Corporation manufactures network devices such as VPN Routers, Load balancing Routers, LTE Routers, Access Point devices, and switches and develops software for the same. Small Office and Home Office are the ones who use these devices as they are quite affordable. After research conducted on Vigor 3910 and 28 other models, a remote code execution vulnerability was found that led to a complete takeover of the device and a malicious adversary got access to the internal resources of the breached network.
In the case of the attack, no user interaction is necessary to get this exploit to work. Many more devices that were not directly facing the internet are also still vulnerable to this vulnerability having CVSS 3.0 score of 10.
Shodan search engine shows results of the search for Vigor 3910 devices facing the internet. Also, the version of the device firmware can also be seen in the search results. Due to such open internet-facing devices available, adversaries get an advantage for exploiting the device’s vulnerability.
Affected Vigor Models:
- Vigor2962 Series
- Vigor2927 Series
- Vigor 2927 LTE Series
- Vigor 2915 Series
- Vigor 2952 / 2952P
- Vigor3230 Series
- Vigor2926 Series
- Vigor2926 LTE Series
- Vigor2862 Series
- Vigor2862 LTE Series
- Vigor2620 LTE Series
- VigorLTE 200n
- Vigor2133 Series
- Vigor2762 Series
- VigorNIC 132
- Vigor2135 Series
- Vigor2765 Series
- Vigor2766 Series
- Vigor2865 Series
- Vigor2865 LTE Series
- Vigor2866 Series
- Vigor2866 LTE Series
Post exploitation impact
As exploitation leads to complete device compromise, its impact is quite disastrous.
- Compromise of sensitive data like admin passwords, and keys.
- MITM attacks in the network.
- Access to internal resources on the LAN that requires VPN access or is present on the same network.
- Botnet Activities.
- Leak of sensitive data stored on the routers.
- Snooping of unencrypted HTTP traffic directed from LAN through the router.
If the adversary fails to compromise the device, the following events take place:
- The device gets Rebooted.
- DOS of affected devices.
- Other anomalous behavior.
How can an attacker exploit this?
- Attacker has already an http server for post exploitation and a reverse shell listener.
- An attacker develops an exploit in such a way that it will directly execute from the attacker’s endpoint and will generate a reverse shell on the device and on the listener every activity can be seen.
- Now a new reverse shell (with socat) that is used to pass simple messages and interaction between computers will be set by attackers where a bash shell will be used to execute commands over the device.
- Now, an attacker can get access to system files from where he can get access to sensitive data.
- Further, he tries to forward traffic from his machine to a gitlab console via exploited draytek router and further with ncat, creates another reverse shell that runs gitlab-rails console and would create a new admin user.
- And after getting access as admin, an attacker can grab sensitive data from a gitlab instance like credentials of a surveillance camera and can get access to it.
In this way, by forwarding traffic through the LAN that contains the infected router would be dangerous as an attacker can make any actions legitimate. Also, due to reverse shell uploading, it is possible to get system-sensitive files and make a lateral movement from one instance to another in the network.
In the above scenario, the attacker exploits the device. i.e. Vigor Router. Post exploit success, an attacker can perform activities such as Port Forwarding, upload a reverse shell on the router, getting sensitive passwords and conduct tasks like running any admin console and gaining potential information from it, pivot this attack to other devices on the same network.
An exploit attempt can be detected by logging/alerting when a malformed base64 string is sent via a POST request to the /cgi-bin/wlogin.cgi endpoint. on the web management interface router. Malformed base64 strings indicative of an attack would have an abnormally high number of %3D padding. A number over three should be considered suspicious.
How does SharkStriker detects and respond to these vulnerabilities?
SharkStriker provides various services for detection as well as prevention of such attacks and vulnerabilities from malicious actors.
Managed Detection and Response (MDR) from SharkStriker is a security service that covers the entire attack lifecycle while mapping the protection of the MITRE ATT&CK model. Security is further bolstered by kernel-level data collection and enrichment to boost its resilience to adversary tampering and stop attacks at the gate. Our cybersecurity experts provide you with incident triage workflow, vulnerability management, firewall monitoring & assessment, and other security services through our SharkStriker platform.
SIEM as a Service
Security Information and Event Management is a platform that integrates log management and monitoring capabilities. SIEM is designed to monitor and detect targeted threats and prevent data breaches. SIEM systems typically collect log events and other necessary information from a diverse set of IT assets, such as devices, platforms, IT frameworks, applications, etc. This will enable it to detect suspicious network activity. Upon identification, an investigation alert is generated, ensuring the analysis and remediation of malicious log events are completed more quickly. SIEM-as-a-Service is a combination of SIEM Platform and 24/7 SOC team. Apart from creating rules for anomalous detection and prevention of these kinds of events, SIEM service also is capable for Threat Hunt and SOC team carries this hunting task and provides results for any possible residual threats on your endpoints or network.
SharkStriker provides remote firewall monitoring services. From installation to 24×7 monitoring backed by our expert SOC team, your internal IT team can focus on more productive tasks while our experts take care of any malicious or anomalous behavior on your network or endpoints. Firewall service from SharkStriker is a completely managed service which provides the best support in case of any critical incident response as well.
MSSP (Managed Security Service Provider) plays a vital role when any organization faces a critical security incident. There might be chances that due to such incidents, businesses might suffer a loss, and also it impacts the reputation of any organization. So, to ensure the best security posture of your organization, MSSPs like SharkStriker are always ready to provide support and response to such vulnerabilities and incidents.