The advice comes amid signs of growing threat actor activity — including by nation-state actors — targeting vulnerabilities in routers and other network devices from DrayTek and a variety of other vendors, including Fortinet, F5, QNAP, Ivanti, Juniper, and Zyxel. Researchers at Forescout's Vedere Labs discovered the vulnerabilities during an investigation of DrayTek routers, prompted by what the security vendor described as signs of consistent attack activity targeting the routers and a rash of recent vulnerabilities in the technology. Two of the new flaws are critical, meaning they need immediate attention: CVE-2024-41592, a maximum-severity RCE bug in the Web UI component of DrayTek routers, and CVE-2024-41585, an OS command execution/VM escape vulnerability with a CVSS severity score of 9.1. Nine of the vulnerabilities are medium-severity threats, and three are relatively low-severity flaws. Potentially tens of thousands of DrayTek routers, including models that many businesses and government agencies use, are at heightened risk of attack via 14 newly discovered firmware vulnerabilities. "Our report shows there's a long history of critical vulnerabilities affecting those routers, and many have been weaponized by botnets and other malware," he says. Santos says that attackers will likely find it relatively easy to find DrayTek routers that contain the new vulnerabilities using search engines such as Shodan or Censys. Two weeks prior to the advisory, the US Cybersecurity and Infrastructure Security Agency added two DrayTek vulnerabilities from 2021 (CVE-2021-20123 and CVE-2021-20124) to its known exploited vulnerabilities list citing active exploitation activity. To lower risk from similar vulnerabilities in DrayTek routers in the future, security teams should also proactively implement longer-term mitigation measures, he adds. They found over 704,000 Internet-exposed DrayTek routers — mostly in Europe and Asia — many of which likely contain the newly discovered vulnerabilities. The relatively high number of critical vulnerabilities in DrayTek products in recent years is another concern because many organizations don’t appear to be addressing them quickly enough, Forescout said. "If another researcher or an attacker builds and publishes a working exploit, then mass exploitation could happen — like how it has happened for other DrayTek CVEs in the past," Santos says. In a September advisory, the FBI, the US National Security Agency, and Cyber National Mission Force warned of Chinese threat actors compromising such routers and Internet of Things devices in widespread botnet operations. Yet 38% of more than 704,000 DrayTek devices that Forescout discovered didn't have patches for disclosed vulnerabilities from two years ago. "Many organizations don't have the right level of visibility into unmanaged devices such as routers, so they may be unaware of these issues on their networks," Santos says. "Since 75% of these routers are used in commercial settings, the implications for business continuity and reputation are severe," Forescout warned in a report that summarized the findings from their investigation, which they dubbed Dray:Break. But "exploitation is more difficult because we did not provide a detailed working proof-of-concept, only the overall description of the vulnerabilities," he says. The mitigations that DrayTek and Forescout have recommended include disabling remote access if not needed, verifying that no unauthorized remote access profiles have been added, enabling system logging, and using only secure protocols such as HTTPS.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 03 Oct 2024 21:55:28 +0000