CVE-2024-41335

CVE-2024-41335 is a vulnerability in multiple Draytek Vigor router models, including Vigor 165/166 prior to v4.2.6, Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6. The issue arises from the use of insecure versions of the strcmp and memcmp functions, enabling potential disclosure of sensitive information through timing attacks (CWE-203). It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

The vulnerability can be exploited by any unauthenticated attacker with network access to the affected device. Exploitation requires low complexity and no user interaction, allowing remote attackers to perform timing analysis on strcmp and memcmp operations to infer sensitive data, such as credentials or other confidential information stored or processed by the router.

Vendor advisories, including those on the Draytek website (http://draytek.com) and a Faraday Labs report (https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946), indicate that mitigation involves updating to the fixed firmware versions specified for each model.