CVE-2021-20123, CVE-2021-20124: DrayTek Vulnerabilities Discovered by Tenable Research Added to CISA KEV
2024-9-10 00:20:28 Author: www.tenable.com(查看原文) 阅读量:7 收藏

Tenable Security Response Team

Tenable Research Advisory Blog header image

With patches out for three years, attackers have set their sights on a pair of vulnerabilities affecting DrayTek VigorConnect.

Background

In November 2021, the Cybersecurity and Infrastructure Security Agency (CISA) launched its Known Exploited Vulnerabilities (KEV) Catalog, an effort to focus on vulnerabilities known to have been exploited and provide defenders with an actionable list of vulnerabilities to prioritize their remediation efforts. On September 3, CISA added three new vulnerabilities to the KEV, two of which were discovered and responsibly disclosed to DrayTek by security researchers from Tenable Research.

CVEDescriptionCVSSv3VPR
CVE-2021-20123DrayTek VigorConnect Unauthenticated Local File Inclusion / Path Traversal Vulnerability7.57.7
CVE-2021-20124DrayTek VigorConnect Unauthenticated Local File Inclusion / Path Traversal Vulnerability7.57.7

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on September 9 and reflects VPR at that time.

Analysis

CVE-2021-20123 and CVE-2021-20124 are local file inclusion vulnerabilities affecting the DownloadFileServlet and WebServlet endpoints on DrayTek VigorConnect, a network management software used to manage and configure DrayTek network devices. Using a specially crafted request with path traversal sequences, an unauthenticated attacker can download arbitrary files from the underlying operating system with root privileges. These vulnerabilities were discovered by researchers at Tenable and disclosed to DrayTek, which subsequently released a patch in October 2021.

Despite these vulnerabilities having readily available patches for three years, nefarious actors have been observed exploiting these unpatched flaws, earning their spot on the CISA KEV list. As we’ve examined in multiple reports, including our 2020, 2021 and 2022 Threat Landscape Reports, known and exploitable vulnerabilities continue to be targeted by threat actors. Simply stated, these vulnerabilities continue to be targeted because they have well-known exploit code and actors continue to find unpatched and vulnerable targets to attack.

Despite the hype, few targets appear to be publicly available

Using platforms such as Shodan.io and a basic query for “draytek” we can see that a staggering over 700,000 assets are returned. Looking closer we note that nearly 610,000 of these devices have port 1723 open, the port used for Point-to-Point Tunneling Protocol (PPTP) on DrayTek Vigor routers. Such a vast number of internet-facing DrayTek assets makes large-scale attacks tempting to threat actors.

Source: Shodan.io

Yet, if we look at the number of internet-facing assets on Shodan.io, specifically for DrayTek VigorConnect based on device title, certificate elements or the hash value of its favicon, we see that only a handful of assets are exposed.

Source: Shodan.io

Looking at other platforms like FOFA, using the VigorConnect favicon hash value as an example, we can see that while the number returned is larger than that of Shodan.io with 44 results (37 unique IPs) it is still a relatively small number.

Source: FOFA

Threat actors might target DrayTek VigorConnect, despite having fewer than 50 internet-facing assets, because of the ease of exploiting a smaller number of systems, which could be automated. Despite the size of its attack surface, VigorConnect could provide access to sensitive network configurations and its reduced complexity might allow attackers to navigate and persist undetected. This makes it a strategic target for establishing access to larger networks while staying under the radar.

Attacks are on the rise

CISA has not provided evidence on the source or level of attacks observed in the wild but, looking at data from Shadowserver — which provides statistics based on server-side attacks seen by their honeypot sensor network — we get some limited insights. Looking at activity for the vendor DrayTek from September 1, 2024 to September 9, the date this blog was published, we can see an uptick in activity for connections to Shadowserver devices for CVE-2021-20123 and CVE-2021-20124. It’s worth noting that while the level of activity is not huge, this is only on Shadowserver devices, which represent a small and specific subset of exposed devices reflecting CISAs warnings regarding observed active exploitation.

Source: Shadowserver

Proof of concept

As part of our responsible disclosure policy, Tenable regularly releases proof-of-concept (PoC) code with our Tenable Research Advisories (TRAs). In a coordinated release on October 8, 2021, Tenable released TRA-2021-42 which included PoCs for both CVE-2021-20123 and CVE-2021-20124.

Solution

DrayTek released VigorConnect version 1.6.1 on October 7, 2021, to address all of the vulnerabilities reported by Tenable Research.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2021-20123 and CVE-2021-20124 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Tenable Security Response Team

Tenable Security Response Team

The Tenable Security Response Team (SRT) tracks threat and vulnerability intelligence feeds to ensure our research teams can deliver sensor coverage to our products as quickly as possible. The SRT also works to analyze and assess technical details and writes white papers, blogs and additional communications to ensure stakeholders are fully informed of the latest risks and threats. The SRT provides breakdowns for the latest vulnerabilities on the Tenable blog.

Related Articles

  • Exposure Management

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Thank You

Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Thank you

Thank you for your interest in Tenable.io. A representative will be in touch soon.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Thank you

Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a sales representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Thank you

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

Request a demo of Tenable Security Center

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

* Field is required

Request a demo of Tenable OT Security

Get the Operational Technology security you need.

Reduce the risk you don’t.

Request a demo of Tenable Identity Exposure

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

Request a demo of Tenable Cloud Security

Exceptional unified cloud security awaits you!

We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.

See
Tenable One
in action

Exposure management for the modern attack surface.

See Tenable Attack Surface Management in action

Know the exposure of every asset on any platform.

Try Tenable Nessus Professional free

Free for 7 days

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
now available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Try Tenable Nessus Expert free

Free for 7 days.

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Learn How Tenable Helps Achieve SLCGP Cybersecurity Plan Requirements

Tenable solutions help fulfill all SLCGP requirements. Connect with a Tenable representative to learn more.


文章来源: https://www.tenable.com/blog/cve-2021-20123-cve-2021-20124-draytek-vulnerabilities-discovered-by-tenable-research-added-to
如有侵权请联系:admin#unsafe.sh