CVE-2024-41338
Published: 27 February 2025
Description
A NULL pointer dereference in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to cause a Denial of Service (DoS) via a crafted DHCP request.
Security Summary
CVE-2024-41338 is a NULL pointer dereference vulnerability (CWE-476) affecting multiple Draytek Vigor router models running firmware versions prior to specified patches, including Vigor 165/166 before v4.2.6, Vigor 2620/LTE200 before v3.9.8.8, Vigor 2860/2925 before v3.9.7, Vigor 2862/2926 before v3.9.9.4, Vigor 2133/2762/2832 before v3.9.8, Vigor 2135/2765/2766 before v4.4.5.1, Vigor 2865/2866/2927 before v4.4.5.3, Vigor 2962/3910 before v4.3.2.7, Vigor 3912 before v4.3.5.2, and Vigor 2925 up to v3.9.6. The issue occurs in the processing of DHCP requests, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The vulnerability can be exploited by unauthenticated attackers with network access, requiring low complexity and no user interaction. By sending a specially crafted DHCP request to the device, an attacker can trigger the NULL pointer dereference, causing a Denial of Service that disrupts device availability, such as crashing the router and halting network services.
Advisories recommend updating affected Draytek Vigor devices to the patched firmware versions listed in the CVE description or later. Further details on mitigations and patches are available from the vendor at http://draytek.com and the Faraday security advisory at https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946.
Details
- CWE(s)