Attack Chain

1. The attacker identifies a DrayTek Vigor 2960 device running a vulnerable firmware version (prior to 1.5.1.4).
2. The attacker discovers or obtains a valid username for the target device.
3. The attacker determines that the target account has MOTP authentication enabled.
4. The attacker crafts a malicious HTTP POST request to the CGI login handler, injecting shell metacharacters into the formpassword parameter.
5. The crafted request is sent to the /cgi-bin/loginCGI endpoint.
6. The vulnerable otp_check.sh script receives the unsanitized input from the formpassword parameter.
7. The injected shell metacharacters are interpreted by the script, executing arbitrary OS commands with the privileges of the web server.
8. The attacker achieves remote code execution, potentially gaining complete control of the affected device.

Impact

Successful exploitation of CVE-2022-50994 allows an unauthenticated remote attacker to execute arbitrary commands on the DrayTek Vigor 2960 device. This can lead to complete system compromise, including data exfiltration, configuration changes, and denial of service. Given that DrayTek Vigor devices are often used in small to medium-sized businesses, a successful attack could disrupt network operations and lead to significant financial losses.

Recommendation

• Upgrade DrayTek Vigor 2960 devices to firmware version 1.5.1.4 or later to patch CVE-2022-50994.
• Deploy the Sigma rule “Detect CVE-2022-50994 Exploitation — DrayTek Vigor CGI Login Attempt” to your SIEM to identify potential exploitation attempts against the /cgi-bin/loginCGI endpoint.
• Enable logging for web server requests to capture relevant data for the Sigma rule and future investigations.
• Review user accounts and disable MOTP authentication where it is not required to reduce the attack surface.