CVE-2024-51138

CVE-2024-51138 is a stack-based buffer overflow vulnerability (CWE-121) affecting the URL parsing functionality in the TR069 STUN server of multiple Draytek Vigor router models. The flaw impacts Vigor165/166 versions 4.2.7 and earlier; Vigor2620/LTE200 3.9.8.9 and earlier; Vigor2860/2925 3.9.8 and earlier; Vigor2862/2926 3.9.9.5 and earlier; Vigor2133/2762/2832 3.9.9 and earlier; Vigor2135/2765/2766 4.4.5 and earlier; Vigor2865/2866/2927 4.4.5.3 and earlier; Vigor2962 4.3.2.8 and earlier; Vigor3912 4.3.6.1 and earlier; and Vigor3910 4.4.3.1 and earlier. It stems from insufficient bounds checking on the amount of URL parameters processed.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction by sending a maliciously crafted request to the TR069 STUN server. Successful exploitation triggers the buffer overflow, enabling arbitrary code execution with elevated privileges. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical impact on confidentiality, integrity, and availability.

Advisories providing mitigation guidance, including patches, are available from Draytek at http://draytek.com and in the Faraday Labs report on multiple Draytek router vulnerabilities at https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946.