June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Threat Actor Allegedly Hacks Social Media Accounts of Pakistan Telecom Firm
October 3, 2024
Multiple Apache Products Vulnerabilities
October 3, 2024
Threat Actor Allegedly Hacks Social Media Accounts of Pakistan Telecom Firm
October 3, 2024
Multiple Apache Products Vulnerabilities
October 3, 2024
Severity
High
Analysis Summary
A little more than a dozen new security flaws that might be used to take control of vulnerable devices have been found in DrayTek home and business routers.
By inserting malicious code, these vulnerabilities might allow attackers to take over a router, remain on it, and utilize it as a gateway to corporate networks. Two of the 14 security vulnerabilities, together referred to as DRAY:BREAK, are classified as critical, nine as high, and three as medium in severity. One of the flaws, which has been given the highest CVSS score of 10.0, is the most critical.
A buffer overflow vulnerability in the "GetCGI()" function of the Web user interface, identified as CVE-2024-41592, may result in a denial-of-service (DoS) or remote code execution (RCE) when the query string parameters are processed. The "recvCmd" binary, which is used for communications between the host and guest OS, is subject to an operating system (OS) command injection vulnerability (CVE-2024-41585, CVSS score: 9.1). The rest of the 12 vulnerabilities are CVE-2024-41589, CVE-2024-41591, CVE-2024-41587, CVE-2024-41583, CVE-2024-41584, CVE-2024-41588, CVE-2024-41590, CVE-2024-41586, CVE-2024-41596, CVE-2024-41593, CVE-2024-41595, and CVE-2024-41594.
According to researchers, the Web user interface (UI) of approximately 704,000 DrayTek routers is accessible to the public, providing a ripe target for malicious actors to launch attacks. The United States is home to the bulk of the disclosed instances, followed by Vietnam, the Netherlands, Taiwan, and Australia.
DrayTek has delivered patches for every bug that was found after responsible disclosure. The max-rated vulnerability in 11 end-of-life (EoL) devices has now been fixed. To ensure total defense against the latest vulnerabilities, devices running the impacted software must be patched. If your router has enabled remote access, turn it off if it isn't in use. If at all possible, use two-factor authentication (2FA) and an access control list (ACL).
Impact
- Denial of Service
- Remote Code Execution
- Unauthorized Access
Indicators of Compromise
CVE
- CVE-2024-41592
- CVE-2024-41585
- CVE-2024-41589
- CVE-2024-41591
- CVE-2024-41587
- CVE-2024-41583
- CVE-2024-41584
- CVE-2024-41588
- CVE-2024-41590
- CVE-2024-41586
- CVE-2024-41596
- CVE-2024-41593
- CVE-2024-41595
- CVE-2024-41594
Affected Vendors
DrayTek
Remediation
- Refer to the DrayTek Website for patch, upgrade, or suggested workaround information.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets
- Immediately change default passwords on IoT devices to unique ones.
- Keep devices' firmware and software up to date to ensure that known vulnerabilities are patched.
- Isolate IoT devices from critical systems by segmenting your network.
- Implement firewalls and intrusion detection systems to monitor and control traffic to and from IoT devices.
- Employ tools that can identify unusual behavior or traffic patterns that might indicate a DDoS attack or a compromised device.
- Disable any unnecessary services or features on IoT devices to reduce their attack surface.
- Follow security best practices, such as disabling remote management if not needed and enabling security features provided by the device manufacturer.
- Deploy intrusion detection and prevention systems (IDS/IPS) to monitor for anomalous or malicious network activity.
- Set up alerts for unusual traffic patterns that might indicate a DDoS attack or a compromised device.
