CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in DrayTek Products Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2020-043

DATE(S) ISSUED:

04/01/2020

OVERVIEW:

Multiple vulnerabilities have been discovered in DrayTek devices which could allow for arbitrary code execution. DrayTek is a manufacturer of broadband CPE, including firewalls, VPN devices, routers and wireless LAN devices. Successful exploitation of these vulnerabilities could result in an attacker executing arbitrary code on the affected system. This could allow an attacker to eavesdrop on network traffic, operate SSH and Web based backdoors, and create system accounts.

THREAT INTELLIGENCE:

There are reports indicating these vulnerabilities have been exploited in the wild.

April 3 – UPDATED THREAT INTELLIGENCE:
According to Palo Alto Networks Unit42, there has been an increase in scanning for DrayTek products vulnerable to CVE-2020-8515. This vulnerability is currently being used by DDoS botnets for propagation.

SYSTEMS AFFECTED:

  • Vigor300B firmware versions prior to 1.5.1
  • Vigor2960 firmware versions prior to 1.5.1
  • Vigor3900 firmware versions prior to 1.5.1

RISK:

Government:
  • Large and medium government entities: N/A
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: MEDIUM
  • Small business entities: MEDIUM
Home Users:
N/A

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in DrayTek devices which could allow for arbitrary code execution. An attacker that successfully interacts with the below listed vulnerable endpoints on a vulnerable system could execute arbitrary code. These vulnerabilities have been assigned CVE-2020-8515.

  • Insufficient input control on the keypath field could allow for arbitrary command injection via the formLogin() function used by /www/cgi-bin/mainfunction.cgi.
  • Insufficient input control on the rtick field could allow for arbitrary command injection via the formCaptcha() function used by /www/cgi-bin/mainfunction.cgi.

Successful exploitation of these vulnerabilities could result in an attacker executing arbitrary code on the affected system. This could allow an attacker to eavesdrop on network traffic, operate SSH and Web based backdoors, and create system accounts.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches or mitigations provided by DrayTek to vulnerable systems immediately after appropriate testing.
  • Limit remote access to required users, and preferably only internally.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0

Pencil White paper 26 Oct 2020