×
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Why CIS

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world



About Us Leadership Principles Testimonials

Solutions

secure your organization
Secure Your Organization


secure specific platforms
Secure Specific Platforms


cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments


View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities



CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers

Resources

resources
Resources


learn
Learn


filter by topic
Filter by Topic


View All Resources  
CIS Logo Show Search Expand Menu

Multiple Vulnerabilities in DrayTek Products Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2020-043

DATE(S) ISSUED:

04/01/2020

OVERVIEW:

Multiple vulnerabilities have been discovered in DrayTek devices which could allow for arbitrary code execution. DrayTek is a manufacturer of broadband CPE, including firewalls, VPN devices, routers and wireless LAN devices. Successful exploitation of these vulnerabilities could result in an attacker executing arbitrary code on the affected system. This could allow an attacker to eavesdrop on network traffic, operate SSH and Web based backdoors, and create system accounts.

THREAT INTELLIGENCE:

There are reports indicating these vulnerabilities have been exploited in the wild.

April 3 – UPDATED THREAT INTELLIGENCE:
According to Palo Alto Networks Unit42, there has been an increase in scanning for DrayTek products vulnerable to CVE-2020-8515. This vulnerability is currently being used by DDoS botnets for propagation.

SYSTEMS AFFECTED:

  • Vigor300B firmware versions prior to 1.5.1
  • Vigor2960 firmware versions prior to 1.5.1
  • Vigor3900 firmware versions prior to 1.5.1

RISK:

Government:
  • Large and medium government entities: N/A
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: MEDIUM
  • Small business entities: MEDIUM
Home Users:
N/A

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in DrayTek devices which could allow for arbitrary code execution. An attacker that successfully interacts with the below listed vulnerable endpoints on a vulnerable system could execute arbitrary code. These vulnerabilities have been assigned CVE-2020-8515.

  • Insufficient input control on the keypath field could allow for arbitrary command injection via the formLogin() function used by /www/cgi-bin/mainfunction.cgi.
  • Insufficient input control on the rtick field could allow for arbitrary command injection via the formCaptcha() function used by /www/cgi-bin/mainfunction.cgi.

Successful exploitation of these vulnerabilities could result in an attacker executing arbitrary code on the affected system. This could allow an attacker to eavesdrop on network traffic, operate SSH and Web based backdoors, and create system accounts.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches or mitigations provided by DrayTek to vulnerable systems immediately after appropriate testing.
  • Limit remote access to required users, and preferably only internally.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0