The National Cyber Security Centre SK-CERT warns against continuing abuse of critical vulnerabilities in DrayTek devices

On 31 March 2020, the National Cyber Security Centre SK-CERT issued a security warning on the critical vulnerability of Vigor switches and routers from the company DrayTek.

According to the company Netlab 360[1], this vulnerability has been found in approximately 100,000 devices. Although it is an older vulnerability for which updates were already provided on 10 February 2020, attackers continue to abuse it actively, as the users and administrators of affected networks have not updated them yet.

Vulnerability directly affects the following systems:

  • DrayTek Vigor 2960, 3900, 300B firmware versions older than 1.5.1
  • DrayTek VigorSwitch20P2121, VigorSwitch20G1280, VigorSwitch20P1280, VigorSwitch20P2280 versions older than 2.3.2

These devices are often used to connect to the Internet at home, in small and medium-sized enterprises.

Technical description

Vulnerability is identified by CVE-2020-8515 which actually caches two vulnerabilities in mainfunction.cgi script:

  • the script does not check that the keyPath parameter is correct, which allows any command to be executed even before login
  • if the script needs access to a verification code, it calls the formCaptcha() function. This function calls the /usr/sbin/captcha programme to generate a CAPTCHA image called <rtick>.gif, where rtick is a parameter taken over from the user without any control. This again allows the attacker to execute a malicious code along with the legitimate /usr/sbin/captcha programme

Abuse patterns

Vulnerability is actively abused by multiple groups of attackers for different targets, for example:

  • an unknown group of attackers gets login names and passwords when users connect to e-mails and FTP servers through infected devices
  • an other group of attackers is only building the infrastructure of attacked devices for later use, by creating so called “back door” that may remain active even after the device has been updated; they also create a “wuwuhanhan” account with the password “caonimuqin” on the device
  • researchers from Palo Alto[2] have found out that this vulnerability is also actively used by  Hoaxcalls botnet to perform DDoS attacks. Hoaxcalls malware, running on infected devices, communicates with the control server via an IRC communication protocol. It provides the attacker with a wide range of options for distributed DoS attacks

Recommendations

Users are encouraged to update firmware of their devices to the latest version, the version 1.5.1 as a minimum, as soon as possible. It is also recommended to take additional measures to prevent the device abuse:

  • it is not recommended to administrate the device via remote access – it is important to have this function turned off completely,
  • check for other profiles and users, having remote access enabled, such as VPN or administrator accounts,
  • before updating, back up your device settings,
  • after the update, make sure the latest device update version has been installed,
  • experienced users are recommended to enable and monitor system logs, focusing on non-standard behaviour.

Vulnerable devices are also located in Slovakia according to open-source network monitoring. They were either delivered as part of services of some Internet Service Providers or were freely available for sale.

Along with other critical vulnerabilities of other devices, the vulnerability of DrayTek products is an important remark on regular updates that are extremely important and prevent organizations’ infrastructures and also individuals’ households from widespread damage.

Sources:

[1] https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/

[2] https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/


« Späť na zoznam
Current threats
all publications
Links