Draytek Critical Vulnerabilities CVE-2024-41334 (and others)

CVE-2024-41334 9.8

On April 11th 2024, Draytek were made aware of a number of vulnerabilities in their Draytek Vigor range of routers, including Denial of Service (DDoS), Information disclosure, and Code Execution (RCE). Draytek have addressed these issues in firmware, and users MUST upgrade to the latest safe version, or preferably the latest version.

CVE-2024-41334 CVE-2024-41335 CVE-2024-41336 CVE-2024-41338 CVE-2024-41339 CVE-2024-41340

ALWAYS ENSURE YOUR NETWORKING HARDWARE IS RUNNING UP TO DATE FIRMWARE

Affected Products & Safe Firmware

IMPORTANT

DO NOT attempt to update affected devices remotely, they can be forced to reboot due to online DoS/RCE and this will break the firmware upgrade in some cases rendering the router dead, requiring a replacement or TFTP firmware provisioning locally.

Mitigations

If you are unable to update the device firmware, CVE-2024-51138/9 can be somewhat mitigated by

• Disable Remote Access
• Disable SSL VPN

However, it is strongly recommended to update the firmware ASAP. This in most cases simply means flashing the .all firmware file specific to your router, but if that fails repeatedly, then you will need to factory reset, flash and then reconfigure.

Obsolete Hardware

Customers with 2830 who are having issues, do not have a firmware patch available since these models were EOL in 2020. You *should* upgrade to the 2865, but disabling remote management, and SSL VPN should mitigate the issue.

Can't Access the web interface?

In some cases the router isn't sufficiently stable to use the web interface, with the router rebooting before you can login or make any changes. In this case, telnet/ssh can be used. The actual command to telnet/ssh into the router varies by operating system, and the commands on the router to disable VPN and remote management also vary by model, so you will need to research this, or book time at the HelpDesk.

Why did it take almost a year?

Well, it didn't and anyone reporting this is plain wrong. Draytek provided patched firmware fixing these CVEs between August and September 2024. These vulnerabilities are complex, hard to exploit, and affect a wide selection of hardware. Draytek likely had to rewrite large amounts of code to mitigate them fully and then there would have been extensive testing before public release.

Maintenance

It is VITALLY IMPORTANT that service providers maintain their Draytek Hardware with the latest firmware. GEN patch all our managed routers within the first 48 hours of a firmware release that contains security fixes to ensure the stability of our base, but not everyone does this judging by the support cases hitting the HelpDesk recently. PLEASE keep your firmware up to date, it only takes a few minutes and can save hours of downtime.

Technical Support

If you are experiencing issues and need assistance urgently, visit the HelpDesk and we will help. It isn't free, but it's professional, fast and efficient.

Blog Index   PermaLink   Comment           9 Votes  

Comments (2)