Serious Security Vulnerabilities Exposed in 704,525 DrayTek Routers UPDATE
A new report by Forescout Research has identified 14 new security vulnerabilities in 24 models of DrayTek‘s popular Vigor routers, which is a familiar name in the UK broadband ISP world. One of the vulnerabilities even has a Common Vulnerability Score (CVSS) of 10 out of 10 and over 704,000 routers were found exposed online in 168 countries.
The report (here) notes that approximately 785,000 DrayTek devices are operating Wi-Fi networks in the wild (over 425,000 of those are in Europe – with 36% in the UK). According to the vendor, DrayTek’s Vigor Web UI “should only be accessible from a local network for security reasons“, but the study “found over 704,000 DrayTek routers that have their UI exposed to the Internet” (most of these are used by businesses and some advanced home users).
The research noted that, out of the 14 new vulnerabilities discovered (see bottom of the article for the full list), one had a maximum severity score of 10, while another one is critical at 9.1 and nine others have medium severity scores. The vulnerabilities could all be used in espionage, data exfiltration, ransomware, and denial of service (DoS) attacks and this threat risk is not theoretical.
Advertisement
On 18th September 2024, the Federal Bureau of Investigation (FBI) in the USA announced it had taken down a botnet exploiting three CVEs on DrayTek assets (CVE-2023-242290, CVE-2020-15415 and CVE-2020-8515). Two weeks prior, CISA added two other DrayTek CVEs to the KEV (CVE-2021-20123 and CVE-2021-20124).
In addition, a significant proportion of these vulnerable devices (38%) were also found to be susceptible to similar issues identified two years ago (here), which have already been patched. This suggests that many end-users of related devices are not checking to ensure they’re using the latest and most secure firmware (software) for their routers.
The good news is that DrayTek have already released firmware patches for the newly discovered vulnerabilities, including their EoL kit, which is in stark contrast to certain other router manufacturers we could name that have a terrible history when it comes to supporting older, but still actively used, devices. Well done DrayTek.
Advertisement
UPDATE 7th Oct 2024
One of our readers (credits to Fred) has pointed out that many of the routers listed as EoL in the report are actually EoS (End of Sale).
https://www.draytek.com/support/product-lifecycle/
Advertisement
For example, the 2862 is EoS in 2023/05/12, but it only becomes EoL on 2028/05/12.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Broadband ISP Onestream Bemoans Poor OTS Consumer Switching Rate
ISP Brsk Expands UK FTTP Broadband Network into Salford »
Oh dear. Looks like I’m already updated, but still. I might switch to Teltonika for my next router, as they run OpenWRT with a really nice interface and regular updates. But I’ll have to wait until fibre
arrives, as Draytek is one of the few that still offers inbuilt DSL modems.
These are types of bug which really shouldn’t be in anything shipped in the last 25 years or so. (Preferably longer, but really everyone cutting this stuff should have known by then). Either nobody with the slightest eye for security has reviewed this code, or they have and weren’t able to get the needed fixes made – considering how many EoL devices are affected this must have been around for a long time.
If they aren’t getting even trivial things like this right, what hope is there for something more complicated (IPsec, etc).
There are various advantages to using a separate rather than a built-in modem (even if you have to use a router-type device in bridge mode, at least you can make admin interfaces inaccessible from the network behind the real router, and unreachable from the rest of the internet).
to ‘s’
The CVEs reported are from… 2024 so rather new.
I agree, DrayTek should have more security focused coders, but sadly issues like this affect all vendors including Cisco, Teltonika etc.
Standalone modems are still available
https://www.4gon.co.uk/draytek-vigor-167-vdsl2-35b-adsl2-modem-v167k-p-10117.html
With the advent of things like BT’s Digital Voice you have to have the Draytek behind a Smart Hub 2 anyway if you want a phone.
There is some very strange communication received from Draytek UK about this issue as they keep suggesting that some models don’t need this latest firmware and keep insisting that fixed have already been implemented in firmware released in August. Very very confusing and not trustworthy at all.
I agree. You can’t even download that version listed for the 2866’s … It’s not that hard really is it.
I assume (hopefully) the firmware version that doens’t exist is a typo.
The latest firmware for the 2865 is v4.4.5.2, but the Forescout Research documentation refers to a v4.4.5.3. However, in the v4.4.5.2 release notes, “Web GUI security improvements” are mentioned, which appear to be the same improvements listed in v3.9.8 for the 2860, which is also mentioned in the Forescout Research documentation.
While Draytek have always been very good with their updates, I would have to say these vulnerabilities look like the sort of thing that a security review should have flagged long ago.
Be interesting to know which manufacturers are having constant security tests carried out and following through with updates.
Pretty poor these vulnerabilities exist ! Bit scary.
The EoL units mentioned in the article are I think EOS (End of Sale).
https://www.draytek.com/support/product-lifecycle/
FOr those having difficulty finding firmware, search on the router number and click on resources.
Under firmware you should get an https directory listing with all the firmware
versions ever released for the device(s) you’re looking to upgrade.
i.e. for 2862
https://fw.draytek.com.tw/Vigor2862/Firmware/v3.9.9.7/
You can navigate to other devices from this link.