{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/draytek/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2022-50994"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Vigor 2960 firmware"],"_cs_severities":["high"],"_cs_tags":["cve","command injection","rce","network device"],"_cs_type":"advisory","_cs_vendors":["DrayTek"],"content_html":"\u003cp\u003eDrayTek Vigor 2960 devices running firmware versions prior to 1.5.1.4 are susceptible to a critical OS command injection vulnerability, tracked as CVE-2022-50994. This flaw resides in the CGI login handler and allows unauthenticated remote attackers to inject arbitrary commands by manipulating the \u003ccode\u003eformpassword\u003c/code\u003e parameter. Successful exploitation requires knowledge of a valid username and that the target account has MOTP authentication enabled. This vulnerability poses a significant risk as it enables attackers to execute commands with web server privileges, potentially leading to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a DrayTek Vigor 2960 device running a vulnerable firmware version (prior to 1.5.1.4).\u003c/li\u003e\n\u003cli\u003eThe attacker discovers or obtains a valid username for the target device.\u003c/li\u003e\n\u003cli\u003eThe attacker determines that the target account has MOTP authentication enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the CGI login handler, injecting shell metacharacters into the \u003ccode\u003eformpassword\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe crafted request is sent to the \u003ccode\u003e/cgi-bin/loginCGI\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eotp_check.sh\u003c/code\u003e script receives the unsanitized input from the \u003ccode\u003eformpassword\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe injected shell metacharacters are interpreted by the script, executing arbitrary OS commands with the privileges of the web server.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, potentially gaining complete control of the affected device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2022-50994 allows an unauthenticated remote attacker to execute arbitrary commands on the DrayTek Vigor 2960 device. This can lead to complete system compromise, including data exfiltration, configuration changes, and denial of service. Given that DrayTek Vigor devices are often used in small to medium-sized businesses, a successful attack could disrupt network operations and lead to significant financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade DrayTek Vigor 2960 devices to firmware version 1.5.1.4 or later to patch CVE-2022-50994.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2022-50994 Exploitation — DrayTek Vigor CGI Login Attempt\u0026rdquo; to your SIEM to identify potential exploitation attempts against the \u003ccode\u003e/cgi-bin/loginCGI\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eEnable logging for web server requests to capture relevant data for the Sigma rule and future investigations.\u003c/li\u003e\n\u003cli\u003eReview user accounts and disable MOTP authentication where it is not required to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-draytek-rce/","summary":"DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 are vulnerable to OS command injection (CVE-2022-50994) in the CGI login handler, allowing unauthenticated remote attackers to execute arbitrary commands by injecting shell metacharacters into the formpassword parameter if the target account has MOTP enabled.","title":"DrayTek Vigor 2960 Unauthenticated Remote Command Execution via CVE-2022-50994","url":"https://feed.craftedsignal.io/briefs/2024-01-draytek-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — DrayTek","version":"https://jsonfeed.org/version/1.1"}