SB2025040126 - Multiple vulnerabilities in Draytek routers



SB2025040126 - Multiple vulnerabilities in Draytek routers

Published: April 1, 2025

Security Bulletin ID SB2025040126
CSH Severity
High
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 83% Low 17%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 vulnerabilities.


1) Improper Certificate Validation (CVE-ID: CVE-2024-41334)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to missing SSL certificate validation for APP Enforcement signature updates. A remote attacker can install specially crafted APPE modules from unofficial servers and execute arbitrary code on the system.


2) Code Injection (CVE-ID: CVE-2024-41339)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to undocumented kernel module installation through CGI configuration endpoint. A remote attacker can execute arbitrary code on the target system.


3) Observable discrepancy (CVE-ID: CVE-2024-41335)

CWE-ID: CWE-203 - Observable discrepancy

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected products utilize insecure versions of the functions strcmp and memcmp to compare credentials. A remote attacker can gain unauthorized access to sensitive information on the system.


4) Unprotected storage of credentials (CVE-ID: CVE-2024-41336)

CWE-ID: CWE-256 - Unprotected Storage of Credentials

CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to gain access to sensitive information.

The vulnerability exists due to application stored credentials in plain text. An attacker with physical access can dump credentials.


5) NULL pointer dereference (CVE-ID: CVE-2024-41338)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can send a specially crafted DHCP request and perform a denial of service (DoS) attack.


6) Arbitrary file upload (CVE-ID: CVE-2024-41340)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload. A remote attacker can upload specially crafted APP Enforcement modules and execute arbitrary code on the system.


Remediation

Install update from vendor's website.