CVE-2024-46554
📋 TL;DR
A buffer overflow vulnerability exists in the profname parameter of the v2x00.cgi component in Draytek Vigor 3910 firmware version 4.3.2.6. Attackers can exploit this by sending specially crafted input to cause a Denial of Service (DoS), potentially crashing the device. Organizations using this specific firmware version on Vigor 3910 routers are affected.
💻 Affected Systems
- Draytek Vigor 3910
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device crash requiring physical reboot, extended service disruption, and potential for remote code execution if the overflow can be controlled to execute arbitrary code.
Likely Case
Denial of Service causing device reboot and temporary network outage for connected users.
If Mitigated
Limited impact with proper network segmentation and monitoring, though device may still reboot if exploited.
🎯 Exploit Status
Based on CWE-120 (Buffer Copy without Checking Size of Input), exploitation likely requires sending oversized input to the profname parameter. No public exploit code identified in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not provided in references
Restart Required: Yes
Instructions:
1. Check Draytek security advisories for patch availability. 2. If patch exists, download firmware update from Draytek support portal. 3. Backup current configuration. 4. Upload and apply firmware update via web interface. 5. Reboot device after update.
🔧 Temporary Workarounds
Restrict access to web interface
allLimit access to the router's web management interface to trusted internal IP addresses only.
Configure firewall rules to block external access to ports 80/443 on the Vigor 3910
Disable unused services
allDisable remote management and unnecessary CGI services if not required.
Navigate to System Maintenance > Management > Access Control in web interface and restrict management access
🧯 If You Can't Patch
- Segment the Vigor 3910 behind a firewall with strict inbound rules
- Implement network monitoring for abnormal traffic patterns to the device
🔍 How to Verify
Check if Vulnerable:
Check firmware version in web interface under System Maintenance > System Information. If version is exactly 4.3.2.6, device is vulnerable.Check Version:
Not applicable - check via web interface or SSH if enabled: show versionVerify Fix Applied:
After updating, verify firmware version has changed from 4.3.2.6 in System Information.📡 Detection & Monitoring
Log Indicators:
- Multiple failed HTTP requests to v2x00.cgi
- Device reboot logs without normal shutdown
- Large input size in web server logs
Network Indicators:
- Unusual HTTP POST requests to /v2x00.cgi with oversized parameters
- Sudden loss of connectivity to the device
SIEM Query:
source="vigor3910" AND (uri="/v2x00.cgi" AND content_length>1000) OR event_type="system_reboot"