CVE-2024-46589 – A buffer overflow vulnerability in Draytek Vigo... (How to Fix)

📋 TL;DR

A buffer overflow vulnerability in Draytek Vigor 3910 routers allows attackers to cause Denial of Service (DoS) by sending crafted input to the sIpv6AiccuUser parameter. This affects organizations using Draytek Vigor 3910 routers with vulnerable firmware versions. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:

Draytek Vigor 3910

Versions: v4.3.2.6 (specific version mentioned in CVE)

Operating Systems: Draytek proprietary firmware

Default Config Vulnerable: ⚠️ Yes

Notes: IPv6 functionality must be enabled/configured for the vulnerable component to be accessible

📦 What is this software?

Vigor3910 Firmware by Draytek

View all CVEs affecting Vigor3910 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router crash requiring physical reboot, potential for remote code execution if buffer overflow can be controlled precisely

🟠

Likely Case

Router becomes unresponsive requiring reboot, disrupting network connectivity for all connected devices

🟢

If Mitigated

Limited to isolated network segment with no internet exposure

🌐 Internet-Facing: HIGH - The vulnerability is in an internet-facing CGI component and requires no authentication

🏢 Internal Only: MEDIUM - Still exploitable from internal networks but requires attacker access

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Simple buffer overflow via HTTP request

Based on CWE-120 (Buffer Copy without Checking Size of Input), exploitation likely requires sending oversized input to specific parameter

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available in provided references

Restart Required: Yes

Instructions:

1. Check Draytek website for firmware updates
2. Download latest firmware for Vigor 3910
3. Upload via web interface
4. Reboot router after installation

🔧 Temporary Workarounds

Disable IPv6 AICCU functionality

all

Disable the specific IPv6 AICCU feature that uses the vulnerable inetipv6.cgi component

Restrict access to management interface

all

Limit access to router web interface to trusted IP addresses only

🧯 If You Can't Patch

Segment network to isolate Vigor 3910 from untrusted networks
Implement strict firewall rules blocking external access to router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface: System Maintenance > Firmware Information

Check Version:

No CLI command - check via web interface or SNMP

Verify Fix Applied:

Verify firmware version is newer than v4.3.2.6 after update

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /inetipv6.cgi with large sIpv6AiccuUser parameter
Router crash/reboot events in system logs

Network Indicators:

Unusual HTTP POST requests to router management interface
Sudden loss of connectivity from router

SIEM Query:

source="router_logs" AND (uri="/inetipv6.cgi" AND param_size>1000) OR event="router_reboot"

📊 Metadata

CVE ID: CVE-2024-46589

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-120

Published: September 18, 2024

Last Updated: March 19, 2025

🔗 References

https://ink-desk-28f.notion.site/Draytek-vigor-3910-Analysis-Report-b3b23e150c4f4bab822c3c47fd7b9de9#e170f53316c740488da5d16f57be1b52 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46589, you might also want to check these: