CSRF in multiple DrayTek routers



Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2018-20872
CWE-ID CWE-352
Exploitation vector Network
Public exploit This vulnerability is being exploited in the wild.
Vulnerable software
Vigor 2832
Hardware solutions / Security hardware applicances

Vigor 2860
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor DrayTek Corp.

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Cross-site request forgery

EUVDB-ID: #VU12851

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:H/RL:O/RC:C]

CVE-ID: CVE-2018-20872

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform CSRF attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin in DrayTek Vigor web management interface. A remote attacker can change setting of Vigor router.

Note: this vulnerability has been exploited in the wild in May 2018. The attackers changed DNS servers of victims to address: 38.134.121.95

Mitigation

Install the latest firmware version from vendors website.
Below is the list of new firmware versions for vulnerable devices:

  • Vigor120, version 3.8.8.2
  • Vigor122, version 3.8.8.2
  • Vigor130, version 3.8.8.2
  • VigorNIC 132, version 3.8.8.2
  • Vigor2120 Series, version 3.8.8.2
  • Vigor2132, version 3.8.8.2
  • Vigor2133, version 3.8.8.2
  • Vigor2760D, version 3.8.8.2
  • Vigor2762, version 3.8.8.2
  • Vigor2832, version 3.8.8.2
  • Vigor2860, version 3.8.8
  • Vigor2862, version 3.8.8.2
  • Vigor2862B, version 3.8.8.2
  • Vigor2912, version 3.8.8.2
  • Vigor2925, version 3.8.8.2
  • Vigor2926, version 3.8.8.2
  • Vigor2952, version 3.8.8.2
  • Vigor3220, version 3.8.8.2
  • VigorBX2000, version 3.8.8.2
  • VigorIPPBX2820, version 3.8.8.2
  • VigorIPPBX3510, version 3.8.8.2
  • Vigor2830nv2, version 3.8.8.2
  • Vigor2820, version 3.8.8.2
  • Vigor2710, version 3.8.8.2
  • Vigro2110, version 3.8.8.2
  • Vigro2830sb, version 3.8.8.2
  • Vigor2850, version 3.8.8.2
  • Vigor2920, version 3.8.8.2

Vulnerable software versions

Vigor 2832: 3.8.3.3 - 3.8.8.1

Vigor 2860: 3.8.4.1 - 3.8.7

CPE2.3 External links

http://www.draytek.co.uk/support/security-advisories/kb-advisory-csrf-and-dns-dhcp-web-attacks
http://www.draytek.com/en/about/news/2018/notification-of-urgent-security-updates-to-draytek-router...


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###