Multiple Vulnerabilities in DrayTek Products Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2020-044
Date(s) Issued: 
Wednesday, April 1, 2020
Subject: 
Multiple Vulnerabilities in DrayTek Products Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in DrayTek devices which could allow for arbitrary code execution. DrayTek is a manufacturer of broadband CPE, including firewalls, VPN devices, routers and wireless LAN devices. Successful exploitation of these vulnerabilities could result in an attacker executing arbitrary code on the affected system. This could allow an attacker to eavesdrop on network traffic, operate SSH and Web based backdoors, and create system accounts.

 

THREAT INTELLIGENCE:

There are reports indicating these vulnerabilities have been exploited in the wild.

 

Systems Affected: 
  • Vigor300B firmware versions prior to 1.5.1

  • Vigor2960 firmware versions prior to 1.5.1 

  • Vigor3900 firmware versions prior to 1.5.1

 

RISK
GOVERNMENT
Large and medium government entities: 
Medium
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
Medium
Small business entities: 
Medium
Home Users: 
N/A
Description: 

Multiple vulnerabilities have been discovered in DrayTek devices which could allow for arbitrary code execution. An attacker that successfully interacts with the below listed vulnerable endpoints on a vulnerable system could execute arbitrary code. These vulnerabilities have been assigned CVE-2020-8515. 

  • Insufficient input control on the keypath field could allow for arbitrary command injection via the formLogin() function used by /www/cgi-bin/mainfunction.cgi.

  • Insufficient input control on the rtick field could allow for arbitrary command injection via the formCaptcha() function used by /www/cgi-bin/mainfunction.cgi. 

Successful exploitation of these vulnerabilities could result in an attacker executing arbitrary code on the affected system. This could allow an attacker to eavesdrop on network traffic, operate SSH and Web based backdoors, and create system accounts.

 

Actions: 
  • After appropriate testing, immediately apply patches or mitigation provided by DrayTeck to vulnerable systems.

  • Limit remote access to required users, and preferably only internally.

  • Apply the Principle of Least Privilege to all systems and services.