Earlier today an anonymous reader left a comment on my Saturday ‘Public ICS Disclosure’ blog post pointing out a mistake in my reporting on the second DrayTek advisory. I had reported that the advisory described “seven classic buffer overflow vulnerabilities in multiple Vigor routers”. As the anonymous commentor noted, the number should have been 16 not seven. My mistake arose because of the way that I read the advisory listing of the vulnerabilities:
“The Buffer Overflow Vulnerabilities have been discovered, which could potentially allow an authenticated attackers to cause a Denial of Service (DoS) via a crafted input. The vulnerabilities have been announced under CVE-2024-46550 CVE-2024-46568, CVE-2024-46571, CVE-2024-46580 CVE-2024-46586, CVE-2024-46588 ~ CVE-2024-46598.”
The highlighted ‘~’ is what I overlooked. To be fair, DrayTek used the same convention for listing consecutive CVE’s in their first advisory and I caught their meaning there, I just missed it here. Mea Culpa. And many thanks to the anonymous commentor for catching that error.
Looking at the NVD.NIST.gov listings for all 16 CVE’s, these
are all ‘Classic Buffer Overflow’ vulnerabilities. The CNA for the CVE’s are
all listed as ‘MITRE’ with a publication date of September 18th,
2024. They were apparently reported to Mitre by the researcher as the only link
provided on the CVE record is to variations to “(https)://ink-desk-28f.notion.site/Draytek-vigor-3910-Analysis-Report-XXXX”
where the ‘XXXX’ is a unique alpha-numeric string for each CVE. Access to the linked sites
is restricted. The CVE record does list the parameter and file where the unique
buffer overflow occurs.
No comments:
Post a Comment