DrayTek users told to patch routers as 15 security vulnerabilities confirmed

It has been a rough few days for DrayTek after a whole bunch of security vulnerabilities were confirmed to have been found to affect a whole bunch of its routers. Worse still, the CISA (Cybersecurity and Infrastructure Security Agency) confirmed that one of those vulnerabilities was being actively exploited.

To be specific, CISA (also known as America’s Cyber Defense Agency) decided that one vulnerability was serious enough to add to its Known Exploited Vulnerabilities Catalog (KEV). This gives certain US federal agencies limited time to mitigate the risk.

Why the worry? According to the CISA warning, the type of OS command injection exploit it exposed are “frequent attack vectors for malicious cyber actors”.

You can see what DrayTek has to say about CVE-2020-15415 (yes, as the 2020 suggests, it’s a really old vulnerability being actively exploited) here. The TL;DR is that it concerns Vigor 3900, Vigor 2960 and Vigor 300B routers and could enable a remote code execution attack.

14 more DrayTek router vulnerabilities

The remaining 14 vulnerabilities – yes, that’s right, count them – are much more recent.

A newly published report from the boffins at Forescout Research Vedere Labs discloses the issues with Common Vulnerabilities and Exposures (CVE) ratings. These range from the maximum criticality of 10 out of 10, to another with 9.1 and right down to one on, erm, one.

The report, which has to come with a catchy name these days, is called Dray:Break.

It’s really quite shocking: 14 vulnerabilities impacting 704,000 routers across 168 countries. The UK comes off worse, with 425,000 of them being located here with 125,000 in Asia. 

I advise you refer to the report for the details of which 24 devices are affected. Of these, 11 have already reached end-of-life status with all the security update baggage that brings to the patching party. 

“Routers are crucial for keeping internal systems connected to the outside world yet too many organisations overlook their security until they are exploited by attackers,” said Barry Mainz, Forescout CEO.

“Cybercriminals work around the clock to find cracks in routers’ defences, using them as entry points to steal data or cripple business operations.”

Daniel dos Santos, Head of Security Research at Forescout, warned that “organisations must immediately patch affected DrayTek devices with the latest firmware”.

He added: “Disabling unnecessary remote access, implementing access control lists and two-factor authentication, and monitoring for anomalies through syslog logging are all crucial steps.”

Expert advice to mitigate vulnerabilities

To gain a wider perspective, I turned to Adam Brown, Managing Security Consultant at Black Duck Software. He said that while “vulnerabilities are inevitable in tech due to software decay, and while it’s not surprising to find these discovered in end-of-life technology, it’s concerning to see them in current products”.

He added: “It’s disappointing to see these bugs in the wild now. This situation is further impacted by DrayTek’s market, which appears to be small to medium enterprises, who are less likely to have strong cybersecurity capabilities to detect and act on these findings.”

The good news is that all of the vulnerabilities have been patched following responsible disclosure by the researchers. Please check the DrayTek security advisories for more information.

I have reached out to DrayTek for a statement.

Related news:

• A fragmented cybersecurity landscape is weakening your defences, research suggests
• Don’t call it quishing but, please, do take it seriously
• Ransomware resurgence gives small businesses cause for concern