UK telcos including BT at risk from DrayTek router vulnerabilities
A series of vulnerabilities in DrayTek’s Vigor router product lines affects multiple comms service providers in the UK, according to new analysis
Some of the UK’s largest communications services providers (CSPs) may have been at significant risk from a series of 14 vulnerabilities in Draytek’s Vigor router devices disclosed on Wednesday 2 October by ForeScout, including big b2b names such as Daisy Communications, Gamma Telecom and Zen Internet, and even BT.
Patches for all the vulnerabilities were made available by DrayTek ahead of the coordinated disclosure. However, according to ForeScout, at the time of disclosure over 704,000 routers were exposed online and, given the FBI took down a botnet comprising some DrayTek assets being used by Chinese spies just a few weeks ago, there may be considerable danger of downstream compromises.
Forescout’s researchers Stanislav Dashevskyi and Francesco La Spina said that approximately 75% of the vulnerable devices were being used in commercial settings. They wrote: “The implications for business continuity and reputation are severe. A successful attack could lead to significant downtime, loss of customer trust and regulatory penalties, all of which fall squarely on a CISO’s shoulders.”
The bugs range in their severity and impact. They include one that enables full system compromise, two that enable reflected cross site scripting (XSS) attacks and two that enable stored XSS attacks, six that enable denial of service (DoS) and remote code execution (RCE), one that enables just DoS, one that enables operating system (OS) command execution and virtual machine escape, and finally, one that allows information disclosure and man-in-the-middle attacks.
Probably the most critical, with the highest possible CVSS score of 10, is CVE-2024-41592, leading to DoS and RCE, in which a function in the router’s web user interface (UI) used to retrieve HTTP request data becomes vulnerable to a buffer overflow when processing query string parameters.
When chained with CVE-2024-41585, the OS command execution bug and the second most severe flaw in the set, it becomes possible for a threat actor to gain remote root access on the host OS and perform network recon and lateral movement, enabling the launch of botnet activity and even leading to malware or ransomware deployment.
Now, additional analysis conducted by Censys has revealed that the exposed DrayTek Vigor devices are predominantly located in the UK, followed by Vietnam, the Netherlands and Taiwan. Out of the 704,000 total, 421,476 are exposing the VigorConnect admin UI online.
“The networks with the largest concentrations of these admin interfaces are a mix of large national ISPs and regional telecom providers. Leading the list is Taiwan-based HINET, which makes sense given that DrayTek is a Taiwanese company,” wrote the Censys team.
In the UK specifically, Censys found 35,866 vulnerable hosts at Gamma Telecom, 31,959 at BT, 21,275 at Daisy Communications and 13,147 at Zen Internet.
Elsewhere in Europe, significant risk may exist at KPN in the Netherlands, with 9,921 vulnerable hosts, and Deutsche Telekom in Germany, with 7,732.
Operators of the vulnerable Vigor routers are being advised to patch their firmware immediately, but also to take care to restrict administrative web UIs from public remote access, and enforce multifactor authentication (MFA) to better protect them.
A BT spokesperson said: “We are aware of this vulnerability. We’re working with external vendors to put remediations in place.”
Computer Weekly contacted the other affected organisations named by Censys but none had responded at the time of publication.
FBI operation
The September 2024 FBI operation against threat actors exploiting DrayTek’s kit – as well as products made by other suppliers – involved a China-based company acting as a front for Beijing’s intelligence-gathering activities by hijacking networking hardware and other Internet of Things (IoT) devices into a Mirai botnet comprising 250,000 devices.
Beijing-based Integrity Technology Group bills itself as a network security services provider, but the FBI investigation linked it to activity consistent with a state-backed threat actor tracked as Flax Typhoon.
Active since 2021, the Flax Typhoon advanced persistent threat (APT) group is known to operate largely on networks owned by Taiwan-based organisations, although according to Microsoft it has been observed targeting organisations elsewhere in Southeast Asia, as well as Africa and North America.
It has mostly been observed operating within government bodies, educational institutions, and manufacturing and IT organisations.