CVE-2024-41593

Q: What is the severity of CVE-2024-41593?

CVE-2024-41593 has a CVSS score of 9.8 (CRITICAL). CVE-2024-41593 is a critical heap-based buffer overflow vulnerability in DrayTek Vigor310 devices that allows remote attackers to execute arbitrary code. The vulnerability occurs due to sign-extension issues in the ft_payload_dns() function, enabling remote code execution without authentication. Organizations using affected DrayTek Vigor310 devices are at risk of complete device compromise.

9.8 CRITICAL

Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2024-41593 is a critical heap-based buffer overflow vulnerability in DrayTek Vigor310 devices that allows remote attackers to execute arbitrary code. The vulnerability occurs due to sign-extension issues in the ft_payload_dns() function, enabling remote code execution without authentication. Organizations using affected DrayTek Vigor310 devices are at risk of complete device compromise.

💻 Affected Systems

Products:

DrayTek Vigor310

Versions: through 4.3.2.6

Operating Systems: DrayTek proprietary firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running affected firmware versions are vulnerable regardless of configuration. The vulnerability is in DNS handling functionality.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attacker to install persistent backdoors, pivot to internal networks, intercept all network traffic, and use device as botnet node.

🟠

Likely Case

Remote code execution leading to device compromise, credential theft, network reconnaissance, and potential lateral movement to connected systems.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering, but still vulnerable to internal threats or compromised adjacent systems.

🌐 Internet-Facing: HIGH - Devices exposed to internet are directly exploitable without authentication via DNS traffic.

🏢 Internal Only: HIGH - Internal attackers or compromised systems can exploit this vulnerability through DNS requests.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public research includes technical details and exploitation vectors. The vulnerability requires sending specially crafted DNS packets to the device.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check DrayTek for latest firmware updates beyond 4.3.2.6

Vendor Advisory: https://www.draytek.com/support/security-advisory/

Restart Required: Yes

Instructions:

1. Log into Vigor310 web interface. 2. Navigate to System Maintenance > Firmware Upgrade. 3. Download latest firmware from DrayTek support portal. 4. Upload and apply firmware update. 5. Reboot device after update completes.

🔧 Temporary Workarounds

DNS Traffic Filtering

all

Block or filter inbound DNS traffic to Vigor310 devices from untrusted sources

Network Segmentation

all

Isolate Vigor310 devices in separate VLAN with restricted access

🧯 If You Can't Patch

Remove internet-facing exposure by placing devices behind firewalls with strict inbound filtering
Implement network monitoring for anomalous DNS traffic patterns to Vigor310 devices

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: System Maintenance > Firmware Information. If version is 4.3.2.6 or earlier, device is vulnerable.

Check Version:

No CLI command - use web interface at System Maintenance > Firmware Information

Verify Fix Applied:

Verify firmware version is updated beyond 4.3.2.6 and test DNS functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

Unusual DNS query patterns
Firmware modification attempts
Unexpected process execution

Network Indicators:

Malformed DNS packets to Vigor310 devices
Unexpected outbound connections from Vigor310

SIEM Query:

source_ip="Vigor310_IP" AND (protocol="DNS" AND packet_size>threshold) OR destination_ip="Vigor310_IP" AND protocol="DNS" AND payload_contains_suspicious_patterns

📊 Metadata

CVE ID: CVE-2024-41593

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: October 3, 2024

Last Updated: March 13, 2025

🔗 References

https://www.forescout.com/resources/draybreak-draytek-research/ Mitigation,Technical Description,Third Party Advisory
https://www.forescout.com/resources/draytek14-vulnerabilities Broken Link

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Vigor1000b Firmware by Draytek

Vigor1000b Firmware by Draytek

Vigor165 Firmware by Draytek

Vigor166 Firmware by Draytek

Vigor2133 Firmware by Draytek

Vigor2135 Firmware by Draytek

Vigor2620 Firmware by Draytek

Vigor2762 Firmware by Draytek

Vigor2763 Firmware by Draytek

Vigor2765 Firmware by Draytek

Vigor2766 Firmware by Draytek

Vigor2832 Firmware by Draytek

Vigor2860 Firmware by Draytek

Vigor2862 Firmware by Draytek

Vigor2865 Firmware by Draytek

Vigor2866 Firmware by Draytek

Vigor2915 Firmware by Draytek

Vigor2925 Firmware by Draytek

Vigor2926 Firmware by Draytek

Vigor2952 Firmware by Draytek

Vigor2962 Firmware by Draytek