DrayTek Router Vulnerability (CVE-2022-32548) – Next Steps

Technical Advice

The vulnerability described on this and the previous pages affects various models and firmware versions of DrayTek Vigor routers as detailed on the initial vulnerability page. If you have one of these unpatched routers, you may be at risk of being exploited by this vulnerability. The potential threat and harm associated to it, has been independently scored as posing a critical risk to most organisations.

IMPORTANT: While SEROCU are notifying organisations of this vulnerability, the team will NOT be asking for any information or other details. They will only be providing information. Any unsolicited contact claiming to be from the Police should always be treated with caution. For more information read about Verifying Authenticity.

What to do now

1) Verify this Vulnerability Exists for the Organisation

It is advisable that you engage with the senior leadership of the organisation throughout this process. We have also provided non-technical information for them, which can be read on the manager’s information pages for this vulnerability.

The key steps should be to establish:

  • Does your organisation use one of the affected Draytek Vigor Routers listed in the table on the initial page for this vulnerability?
  • Is the router running on a version of DrayOS firmware, detailed in the listed in the table on the initial page for this vulnerability?
  • If yes, install the available security update.

2) Establish if this Vulnerability has already been exploited on your systems

As stated previously, the Operation Configured team are not in possession of any intelligence to suggest that this vulnerability is or has been actively exploited by criminals whether or not your organisation has or has not been compromised as a result of this vulnerability. However, we would ask you to consider whether you wish to establish if criminals have taken advantage of this vulnerability in preparation for an attack on you. History shows us that cyber-criminals often loiter in the systems of their victims for a period which may be days to months before a visible attack happens.

How you detect this depends on the nature of your systems and it is highly likely you will need advice from your ICT team or provider to work this out. It is likely to involve some degree of looking at computer logs for clues or ‘Indicators of Compromise’.

Detecting whether this vulnerability has been exploited would be by logging/alerting when a malformed base64 string has been sent via an HTTP POST request to the /cgi-bin/wlogin.cgi end-point on the web management interface of the router. Typically, the strings would be found in the ‘aa’ and ‘ab’ fields of the POST request and might have more than three of ‘3%D’ padding characters in the string.

Verify that port mirroring, DNS settings, authorized VPN access and any other relevant settings have not been tampered with from within the management interface of the device.

Locating other forms of persistence

NCSC guidance also provide general advice on how to prevent and detect lateral movement in organisation networks.

Attackers are known to establish persistence on networks by creating scheduled tasks to periodically execute a binary.  By reviewing the list of current scheduled tasks on a device, suspicious activity can be established, identified, investigated and eradicated.

If you believe your systems have been compromised, please read our advice on reporting cybercrime:


3) Establish the Threat, Risk and Harm this Poses to You

Not every vulnerability will pose the same risk to all organisations. The level of risk this presents this organisation should be used to influence how you move forwards resolving this vulnerability – in particular, the speed at which you do this. Technical advice is essential to making a proper assessment of risk, but the final decision of what risk is acceptable is a managerial or strategic decision.

The Threat – is what may happen. In this case, that means the exploitation of this vulnerability.

The Harm – is the likely adverse consequence of the threat actually happening. The question you need to ask yourself is: “Based on what I have read about this, what are criminals likely to be able to do to the organisation if they do exploit this vulnerability – what harm will this cause?” Harm may manifest itself in many ways – financial, operational, personal, etc… The harm may be direct or indirect – for example, there may be obvious financial harms (cost of responding to and resolving an incident, lost revenue, etc…) as well as further organisational harms such as regulatory fines.

Consequences of ignoring or choosing not to resolve this vulnerability as stated previously may include, but are not limited to:

  • Leaking sensitive data
  • Access to the internal systems, services and resources
  • Ransomware
  • Data theft
  • Man-In-The-Middle attacks
  • Botnet activity
  • Denial of Service
  • Fines from regulators such as the Information Commissioner’s Office (ICO)
  • Operations ceasing because of system failure, reputational damage or financial losses

The Risk – this is the likelihood the threat will occur. It may well be that you are confident this vulnerable system is well protected through other measures and the risk is low as a result. It is important you understand the risk in the context of this organisation and your systems. Determining the acceptable degree of risk is a skill in itself and underestimating the risk can have catastrophic consequences for the organisation.


4) Isolate and Mitigate the Immediate Risk

You may not be able to immediately resolve this vulnerability – this is something highly dependent on the nature of the systems and organisation and the availability of a fix for this vulnerability. It is essential that you develop an understanding of how best to resolve this vulnerability including any potential adverse consequences.

Because of this, it is important to explore how best to mitigate the immediate risk – can it be removed or reduced, at least temporarily, until the bigger issue is resolved. This often means isolating the affected system so that it cannot talk to other parts of the network – and probably cutting it off from the public internet. Doing this quickly may prevent a serious attack in the very near future.  It may sometimes be quicker, easier and safer overall to fully fix the vulnerability from the outset.


5) Plan to Resolve this Vulnerability

Vendor Advice – DrayTek

Routers are network perimeter devices and are prime targets from criminals. Using a previous version of DrayTek Vigor router leaves a device (and all network resources) vulnerable to compromise and system administrators should continually check software versions and update as new versions become available.

Take a backup of the current config of the router, in case it is needed later to restore by navigating to (system maintenance -> Config Backup). Use the ‘.ALL’ file to upgrade, otherwise the router settings will be wiped. (If upgrading from a much older firmware, then please check the release notes for your model accordingly for any upgrading instructions).

Administrators are recommended to run the latest firmware version on the affected DrayTek Vigor router, to provide the strongest level of defence against any potential attacks, by downloading the latest version from :

https://www.draytek.com/support/latest-firmwares

Do not expose (disable) the management interface to the internet (remote access) unless absolutely required.

Change the router admin password of the affected router and revoke any secret stored on the router that may have been leaked.

It is recommended that two factor authentication is enabled, restrict access by IP address (range) and an access control list is used, to increase the security of the device and to minimize the risk of an attack. The access control list only applies if you are NOT using SSL VPN to connect.

DrayTek provide the facility to receive timely notifications relating to firmware or critical updates to ensure devices are kept up to date :

https://www.draytek.co.uk/information/mailing-list


6) Plan for the Future

The final phase of responding to this notification is learning. This is an opportunity for the organisation to improve things and become independently proactive in identifying and resolving this kind of problem. A cyber attack is one of the most likely adverse incidents to face any organisation in the modern world and requires a dedicated strategy, ownership at a strategic level and a plan for regular review with iterative improvement.


For more guidance:

Disclaimer: The advice provided on this website is for general information only and is not intended to replace specific professional advice relevant to your organisation. Information on the website is not comprehensive and may not reflect the most recent legislation, practice, advice or application to your specific circumstances.
 
The South-East Regional Organised Crime Unit (SEROCU) does not accept any responsibility for any loss which may arise from reliance on information or materials published on this website.  It is not responsible for the content of external internet sites that link to this site or which are linked from it.