CVE-2021-42911
📋 TL;DR
This is a critical format string vulnerability in DrayTek router firmware that allows remote attackers to execute arbitrary code by sending specially crafted HTTP messages. Attackers can potentially gain full control of affected routers without authentication. All users of DrayTek Vigor 2960, 3900, and 300B routers with firmware version 1.5.1.3 or earlier are affected.
💻 Affected Systems
- DrayTek Vigor 2960
- DrayTek Vigor 3900
- DrayTek Vigor 300B
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker gains complete control of router, installs persistent backdoors, intercepts all network traffic, pivots to internal network, and uses router as launch point for further attacks.
Likely Case
Remote attacker executes arbitrary code to modify router configuration, steal credentials, redirect traffic, or install cryptocurrency miners.
If Mitigated
Attack prevented by patching; if unpatched but behind firewall, risk reduced to internal threats only.
🎯 Exploit Status
Public proof-of-concept exists in GitHub gist. Exploitation requires sending crafted HTTP request with malformed query string to mainfunction.cgi endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: > 1.5.1.3
Vendor Advisory: https://www.draytek.com/support/security-advisory/
Restart Required: Yes
Instructions:
1. Log into DrayTek router web interface. 2. Navigate to System Maintenance > Firmware Upgrade. 3. Download latest firmware from DrayTek support site. 4. Upload and apply firmware update. 5. Reboot router after update completes.
🔧 Temporary Workarounds
Restrict Web Interface Access
allLimit access to router web interface to trusted IP addresses only
Configure firewall rules to restrict access to router IP on ports 80/443 to management IPs only
Disable Remote Management
allTurn off remote management features if not required
In router web interface: System Maintenance > Management > Disable 'Enable Web Config from WAN'
🧯 If You Can't Patch
- Place router behind firewall with strict inbound rules blocking all external access to router management interface
- Implement network segmentation to isolate router from critical internal systems
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router web interface: System Maintenance > Firmware Upgrade. If version is 1.5.1.3 or lower, system is vulnerable.Check Version:
curl -k https://[router-ip]/cgi-bin/mainfunction.cgi?action=version (Note: This may vary by model)Verify Fix Applied:
After patching, verify firmware version shows > 1.5.1.3 in System Maintenance > Firmware Upgrade page.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests to mainfunction.cgi with malformed query strings
- Multiple failed login attempts followed by successful exploit patterns
- Unexpected process execution or configuration changes
Network Indicators:
- HTTP requests containing format string specifiers (%s, %n, %x) in query parameters
- Traffic to mainfunction.cgi with unusually long or malformed query strings
- Outbound connections from router to suspicious external IPs
SIEM Query:
source_ip=router_ip AND (url="*mainfunction.cgi*" AND (query="*%*" OR query_length>500))