CVE-2024-46591 – A buffer overflow vulnerability in Draytek Vigo... (How to Fix)

📋 TL;DR

A buffer overflow vulnerability in Draytek Vigor 3910 routers allows attackers to cause Denial of Service (DoS) by sending specially crafted input to the sDnsPro parameter. This affects organizations using Draytek Vigor 3910 routers with vulnerable firmware versions. The vulnerability can be exploited remotely without authentication.

💻 Affected Systems

Products:

Draytek Vigor 3910

Versions: v4.3.2.6 (specific version mentioned in CVE)

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface accessible on default ports. Other Draytek models may be affected but not confirmed.

📦 What is this software?

Vigor3910 Firmware by Draytek

View all CVEs affecting Vigor3910 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router crash requiring physical reboot, disrupting all network services for connected users and potentially causing extended downtime.

🟠

Likely Case

Router becomes unresponsive, requiring manual reboot and causing temporary network disruption for all connected devices.

🟢

If Mitigated

Network segmentation and proper firewall rules prevent exploitation attempts, maintaining router functionality.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via the web interface without authentication.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but network segmentation reduces exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Buffer overflow in CGI parameter suggests straightforward exploitation via HTTP requests to the web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available in provided references

Restart Required: Yes

Instructions:

1. Check Draytek website for firmware updates
2. Download latest firmware for Vigor 3910
3. Backup current configuration
4. Upload and install new firmware via web interface
5. Restart router
6. Restore configuration if needed

🔧 Temporary Workarounds

Restrict Web Interface Access

all

Limit access to router web management interface to trusted IP addresses only

Configure firewall rules to restrict access to router management IP/ports

Disable Remote Management

all

Turn off web management interface access from WAN/Internet

In router settings: Management > Access Control > Disable 'Allow management from WAN'

🧯 If You Can't Patch

Implement strict network segmentation to isolate router management interface
Deploy network-based IPS/IDS to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface: System Maintenance > Firmware Information

Check Version:

Not applicable - check via web interface or SSH if enabled

Verify Fix Applied:

Verify firmware version is newer than v4.3.2.6 and test web interface functionality

📡 Detection & Monitoring

Log Indicators:

Multiple failed HTTP requests to v2x00.cgi
Router reboot events in system logs
Unusual traffic patterns to router management interface

Network Indicators:

HTTP POST requests to /v2x00.cgi with large sDnsPro parameter
Sudden drop in router responsiveness

SIEM Query:

source="router_logs" AND (uri="/v2x00.cgi" OR event="reboot")

📊 Metadata

CVE ID: CVE-2024-46591

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-120

Published: September 18, 2024

Last Updated: March 19, 2025

🔗 References

https://ink-desk-28f.notion.site/Draytek-vigor-3910-Analysis-Report-b3b23e150c4f4bab822c3c47fd7b9de9#336655c8396248a2b0fc7be9da0b64c9 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46591, you might also want to check these: