Security Advisory: Buffer Overflow Vulnerabilities (CVE-2024-46550 ~ CVE-2024-46568, CVE-2024-46571, CVE-2024-46580 ~ CVE-2024-46586, CVE-2024-46588 ~ CVE-2024-46598)
Expired30th October 2024
On July 1st, we identified multiple vulnerabilities, where an authenticated user could cause a Denial of Service (DoS) via a crafted input. By an authenticated user, we mean a network administrator who has access to the router, and knows login credentials (username and password), not just a local user who has internet access via the router. This means that the exploitability of the vulerability is low and also a user who is able to exploit these vulnerabilities would likely already have the ability to change or modify the router configuration.
The vulnerabilities are listed under CVE-2024-46550 ~ CVE-2024-46568, CVE-2024-46571, CVE-2024-46580 ~ CVE-2024-46586, CVE-2024-46588 ~ CVE-2024-46598 and are addressed in the newer firmware release listed in the table below. Before upgrading, take a backup of your current config in case you need to restore it later [System Maintenance] > [Config Backup]. Do use the .ALL file to upgrade, otherwise you will wipe your router settings. If you are upgrading from a much older firmware, then please check the release notes carefully for any upgrading instructions. If you are upgrading an estate of devices, then follow best practices to roll out in stages and test pilot sites prior to upgrading.
If you have not already upgraded, we would recommend updating when convenient because it's always recommended to be running the latest firmware. We would also recommend auditing and controlling the number of users that are given login credentials to devices, expecially if external authentication is being used rather than just the router local admin user database. Please refer to this page for further updates or visit https://www.draytek.co.uk/support/downloads/
Affected Products
Model | Firmware Version | Due |
Vigor 2135 | 4.4.5.5 | Released |
Vigor 2763 | 4.4.5.5 | Released |
Vigor 2765 | 4.4.5.5 | Released |
Vigor 2766 | 4.4.5.5 | Released |
Vigor 2865 | 4.4.5.8 | Released |
Vigor 2866 | 4.4.5.8 | Released |
Vigor 2927 | 4.4.5.7 | Released |
Vigor 2962 | 4.4.3.1 | Released |
Vigor 3910 | 4.4.3.1 | Released |
Vigor 3912 | 4.3.6.1 | Released |