#VU12851 Cross-site request forgery in Vigor 2832 and Vigor 2860 - CVE-2018-20872

CSH
CYBERSECURITY HELP
Sign In REGISTER
 
Main Vulnerability Database Vulnerabilities #VU12851

#VU12851 Cross-site request forgery in Vigor 2832 and Vigor 2860 - CVE-2018-20872

Published: May 19, 2018 / Updated: August 20, 2019


Vulnerability identifier: #VU12851
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:A/U:Green
CVE-ID: CVE-2018-20872
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability: The vulnerability is being exploited in the wild
Vulnerable software:
Vigor 2832
Vigor 2860
Software vendor:
DrayTek Corp.

Description

The vulnerability allows a remote attacker to perform CSRF attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin in DrayTek Vigor web management interface. A remote attacker can change setting of Vigor router.

Note: this vulnerability has been exploited in the wild in May 2018. The attackers changed DNS servers of victims to address: 38.134.121.95

Remediation

Install the latest firmware version from vendors website.
Below is the list of new firmware versions for vulnerable devices:
  • Vigor120, version 3.8.8.2
  • Vigor122, version 3.8.8.2
  • Vigor130, version 3.8.8.2
  • VigorNIC 132, version 3.8.8.2
  • Vigor2120 Series, version 3.8.8.2
  • Vigor2132, version 3.8.8.2
  • Vigor2133, version 3.8.8.2
  • Vigor2760D, version 3.8.8.2
  • Vigor2762, version 3.8.8.2
  • Vigor2832, version 3.8.8.2
  • Vigor2860, version 3.8.8
  • Vigor2862, version 3.8.8.2
  • Vigor2862B, version 3.8.8.2
  • Vigor2912, version 3.8.8.2
  • Vigor2925, version 3.8.8.2
  • Vigor2926, version 3.8.8.2
  • Vigor2952, version 3.8.8.2
  • Vigor3220, version 3.8.8.2
  • VigorBX2000, version 3.8.8.2
  • VigorIPPBX2820, version 3.8.8.2
  • VigorIPPBX3510, version 3.8.8.2
  • Vigor2830nv2, version 3.8.8.2
  • Vigor2820, version 3.8.8.2
  • Vigor2710, version 3.8.8.2
  • Vigro2110, version 3.8.8.2
  • Vigro2830sb, version 3.8.8.2
  • Vigor2850, version 3.8.8.2
  • Vigor2920, version 3.8.8.2

External links