Finding DrayTek Vigor routers
The Trellix Threat Labs Vulnerability Research team recently published vulnerability details affecting almost 30 models of DrayTek Vigor routers. This vulnerability resides in the management interface login page and is trivial to exploit via buffer overflow. An unauthenticated attacker can easily gain control over vulnerable Vigor devices, doing so remotely if the management interface is exposed to the Internet.
Tracked as CVE-2022-32548 with a CVSS “critical” maximum score of 10, successful attackers can potentially leverage device control to execute code, establish a foothold on the network for further exploration, exfiltrate sensitive data, add the device to a botnet, and more. Trellix researchers found over 200k vulnerable Vigor devices with management interfaces exposed to the Internet, putting them at risk of remote exploitation. Even with external access to the management interface disabled, vulnerable devices are still susceptible to exploitation via the local network.
DrayTek has provided patched firmware for affected Vigor devices. Admins should ensure that affected models are updated to the latest firmware version. The Trellix research team also provided additional mitigation recommendations, including disabling public-facing access to the management interface (see Recommendations).
Get runZero for free
Don’t have runZero and need help finding potentially vulnerable DrayTek Vigor assets?Start your runZero trial
July 29, 2022
Hunting for X.509 Certificates
X.509 certificates are used to secure communications over both trusted and untrusted networks. Protocols such as Transport Layer Security (TLS) rely on X.509 certificates to keep their communications secure between endpoints. Each X.509 certificate is composed of a public …Read More
June 21, 2022
Finding Microsoft VPN/PPTP with runZero
Last month, researcher Alex Nichols at Nettitude reported a vulnerability in Microsoft’s Windows VPN software that could allow for remote code execution or local privilege escalation by an attacker. This vulnerability lies in a use-after-free condition that can occur in the …Read More
June 3, 2022
Finding Confluence servers (again) with runZero
An actively exploited zero-day has surfaced in popular wiki software Confluence. Deemed “critical” in severity, this vulnerability affects all supported versions of Confluence Server and Confluence Data Center, and also older, unsupported versions (i.e. everything after …Read More