|March 11, 2025|7 MinutesAdvisory: Multiple vulnerabilities affecting Draytek routers
Routers are critical to modern networks, acting as the gateway between local devices and the broader internet. Their strategic position makes them an attractive target for attackers seeking persistent access, data interception, or further exploitation of internal networks. Despite their importance, many routers suffer from outdated firmware, weak security, and a lack of patching.
Draytek, in particular, caught our attention due to its widespread use in small office/home office (SOHO) environments and its proprietary firmware format, which hinders the work of security researchers. We aimed to analyze and reverse engineer Draytek firmware to develop tools for researching and better securing these devices. Our research discovered multiple security issues, including weak authentication mechanisms, insecure kernel module updates, and persistent backdoor opportunities. A summary of our main findings can be found below:
CVE-2024-41335: Non-constant time password comparison.
Affected Vigor routers utilize insecure versions of the functions strcmp and memcmp to compare credentials, potentially allowing attackers to obtain sensitive information via timing attacks.
CVE-2024-41336: Insecure password storage.
Affected Vigor routers store passwords in plaintext, allowing attackers with memory or physical access to dump credentials.
CVE not assigned: Predictable 2FA code generation.
Affected Vigor routers generate WAN login second-factor authentication codes in a predictable way. The codes can be calculated by knowing the time elapsed since boot, allowing an attacker to bypass this security measure. For example, an attacker can force a reboot by exploiting other vulnerabilities like CVE-2024-41338.
CVE-2024-41338: DHCP server NULL pointer dereference.
Affected Vigor routers contain a NULL pointer dereference vulnerability, which allows attackers to cause a denial-of-service (DoS) attack via a crafted DHCP request.
CVE-2024-41339: Undocumented kernel module installation through CGI configuration endpoint.
Affected Vigor routers allow kernel modules to be uploaded through the CGI endpoint used for restoring saved configurations. Attackers can exploit this undocumented feature to upload a crafted kernel module, obtaining arbitrary code execution.
CVE-2024-41340: APP Enforcement signature update allows arbitrary kernel module installation.
Affected Vigor routers allow the upload of arbitrary APP Enforcement signatures. These signatures are implemented using kernel modules, allowing attackers to obtain arbitrary code execution.
CVE-2024-41334: Missing SSL certificate validation for APP Enforcement signature updates.
Affected Vigor routers do not validate SSL certificates when downloading APP enforcement signatures from Draytek servers, allowing attackers to install crafted APPE modules from nonofficial servers. Since these signatures are implemented using kernel modules, controlling this update process leads to arbitrary code execution.
CVE-2024-51138: TR069 STUN server buffer overflow.
Affected Vigor routers contain a stack-based buffer overflow vulnerability in the TR069 STUN server’s URL parsing functionality. A remote attacker can execute arbitrary code by sending an unauthenticated request, leading to complete system compromise. Note that when the TR069 and the STUN server are enabled, the router is expected to be behind a NAT gateway.
CVE-2024-51139: CGI POST integer overflow.
Affected Vigor routers contain an integer overflow vulnerability in the CGI parser’s handling of HTTP POST requests’ “Content-Length” header. Since this value is used to allocate memory for the request data, it can also result in a heap overflow. Exploiting this flaw can enable an unauthenticated, remote attacker to execute arbitrary code on the router, leading to complete system compromise.
Known affected firmware versions are:
CVE-2024-41334 to CVE-2024-41338 and 2FA code generation:
Vigor165/166 before 4.2.6
Vigor2620/LTE200 before 3.9.8.8
Vigor2860/2925 before 3.9.7
Vigor2862/2926 before 3.9.9.4
Vigor2133/2762/2832 before 3.9.8
Vigor2135/2765/2766 before 4.4.5.1
Vigor2865/2866/2927 before 4.4.5.3
Vigor2962/3910 before 4.3.2.7
Vigor3912 before 4.3.5.2
CVE-2024-41339 and CVE-2024-41340:
Vigor165/166 before 4.2.7
Vigor2620/LTE200 before 3.9.8.9
Vigor2860/2925 before 3.9.8
Vigor2862/2926 before 3.9.9.5
Vigor2133/2762/2832 before 3.9.9
Vigor2135/2765/2766 before 4.4.5.1
Vigor2865/2866/2927 before 4.4.5.3
Vigor2962/3910 before 4.3.2.8/4.4.3.1
Vigor3912 before 4.3.6.1
CVE-2024-51138 and CVE-2024-51139:
Vigor2620/LTE200 before 3.9.9.1
Vigor2860/2925 before 3.9.8.3
Vigor2862/2926 before 3.9.9.8
Vigor2133/2762/2832 before 3.9.9.2
Vigor2135/2765/2766/2763 before 4.4.5.5
Vigor2865/2866/2927 before 4.4.5.8
Vigor2962/3910 before 4.3.2.9/4.4.3.2
Vigor3912 before 4.4.3.2
Vigor2915 before 4.4.5
Vigor1000B before 4.4.3.2
Vigor2952 before 3.9.8.5
Vigor3220 before 3.9.8.5
For more information about these vulnerabilities and their exploitation, please refer to our DEFCON 32 HHV and Ekoparty 2024 talks. In future posts, we will share more details about CVE-2024-51138 and CVE-2024-51139, which were not included in these talks.
Trainings, vulnerability management, red teaming services, or continuous scanning? We’ve got you covered. 🚀⚡
Related Posts
Car Hacking with Doggie at H2HC!
Last month, Doggie took the stage at the Car Hacking Village during the H2HC conference on December 13th and 14th in São Paulo. This…
Doggie: A Must-Have Open Source Tool for Car Hacking and Automotive Security
To make automotive cybersecurity research more accessible and affordable, we developed Doggie, an open-source and modular CAN Bus - USB…
Good practices in Cybersecurity – Part 3
Good security practices go hand in hand with automation, integration, and collaboration. As dynamic as the threat landscape is, so must our…