CVE-2024-46595 – A buffer overflow vulnerability in Draytek Vigo... (How to Fix)

📋 TL;DR

A buffer overflow vulnerability in Draytek Vigor 3910 routers allows attackers to cause Denial of Service (DoS) by sending crafted input to the saveitem parameter in lan2lan.cgi. This affects organizations using Draytek Vigor 3910 routers with vulnerable firmware versions. The vulnerability can disrupt network connectivity and router functionality.

💻 Affected Systems

Products:

Draytek Vigor 3910

Versions: v4.3.2.6 and potentially earlier versions

Operating Systems: Draytek proprietary firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The lan2lan.cgi interface is typically accessible via web management interface. Default configurations may expose this to network access.

📦 What is this software?

Vigor3910 Firmware by Draytek

View all CVEs affecting Vigor3910 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router crash requiring physical reboot, persistent network downtime, and potential for remote code execution if the buffer overflow can be leveraged beyond DoS.

🟠

Likely Case

Router becomes unresponsive, requiring reboot to restore functionality, causing temporary network disruption for connected devices.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Buffer overflow vulnerabilities in web interfaces often have low exploitation complexity. The CWE-120 classification indicates classic buffer copy without checking size.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Draytek website for firmware updates
2. Download latest firmware if available
3. Backup current configuration
4. Upload and install new firmware via web interface
5. Restart router
6. Restore configuration if needed

🔧 Temporary Workarounds

Restrict Access to Management Interface

all

Limit access to the router's web management interface to trusted IP addresses only

Configure firewall rules to restrict access to router management IP on ports 80/443

Disable Unnecessary CGI Functions

all

If possible, disable or restrict access to lan2lan.cgi functionality

Check router configuration for CGI access controls

🧯 If You Can't Patch

Implement strict network segmentation to isolate the router from untrusted networks
Deploy network intrusion detection/prevention systems to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at System Maintenance > Firmware Information

Check Version:

Not applicable - check via web interface

Verify Fix Applied:

Verify firmware version is newer than v4.3.2.6 after update

📡 Detection & Monitoring

Log Indicators:

Multiple failed requests to lan2lan.cgi
Router reboot events
Unusual traffic patterns to router management interface

Network Indicators:

HTTP POST requests to /cgi-bin/lan2lan.cgi with large saveitem parameters
Sudden loss of router responsiveness

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/lan2lan.cgi" OR event="reboot")

📊 Metadata

CVE ID: CVE-2024-46595

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-120

Published: September 18, 2024

Last Updated: March 13, 2025

🔗 References

https://ink-desk-28f.notion.site/Draytek-vigor-3910-Analysis-Report-b3b23e150c4f4bab822c3c47fd7b9de9#7f26d2119de54d5fbc25a8d3ebe2b16c Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46595, you might also want to check these: