CVE-2024-41334

CVE-2024-41334 is an improper certificate validation vulnerability (CWE-295) affecting multiple Draytek Vigor router models, including Vigor 165/166 prior to v4.2.6, Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6. The flaw occurs because these devices do not perform certificate verification when uploading APPE (Application Program Extension Environment) modules, enabling the installation of modules from unauthorized sources.

Attackers can exploit this vulnerability over the network with low complexity and low privileges (PR:L), requiring no user interaction. Successful exploitation allows uploading crafted APPE modules from non-official servers, resulting in arbitrary code execution on the device. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability.

Mitigation involves updating affected devices to the vendor-recommended firmware versions listed above, as indicated in the vulnerability description. Additional details are available in advisories from Draytek at http://draytek.com and Faraday Labs at https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946.