CVE-2024-41335

Name of the Vulnerable Software and Affected Versions Draytek Vigor 165/166 versions prior to 4.2.6 Draytek Vigor 2620/LTE200 versions prior to 3.9.8.8 Draytek Vigor 2860/2925 versions prior to 3.9.7 Draytek Vigor 2862/2926 versions prior to 3.9.9.4 Draytek Vigor 2133/2762/2832 versions prior to 3.9.8 Draytek Vigor 2135/2765/2766 versions prior to 4.4.5.1 Draytek Vigor 2865/2866/2927 versions prior to 4.4.5.3 Draytek Vigor 2962/3910 versions prior to 4.3.2.7 Draytek Vigor 3912 versions prior to 4.3.5.2 Draytek Vigor 2925 versions up to 3.9.6

Description The issue is related to the use of insecure versions of the strcmp and memcmp functions in Draytek devices, which could allow attackers to obtain sensitive information via timing attacks.

Recommendations For Draytek Vigor 165/166 versions prior to 4.2.6, update to version 4.2.6 or later. For Draytek Vigor 2620/LTE200 versions prior to 3.9.8.8, update to version 3.9.8.8 or later. For Draytek Vigor 2860/2925 versions prior to 3.9.7, update to version 3.9.7 or later. For Draytek Vigor 2862/2926 versions prior to 3.9.9.4, update to version 3.9.9.4 or later. For Draytek Vigor 2133/2762/2832 versions prior to 3.9.8, update to version 3.9.8 or later. For Draytek Vigor 2135/2765/2766 versions prior to 4.4.5.1, update to version 4.4.5.1 or later. For Draytek Vigor 2865/2866/2927 versions prior to 4.4.5.3, update to version 4.4.5.3 or later. For Draytek Vigor 2962/3910 versions prior to 4.3.2.7, update to version 4.3.2.7 or later. For Draytek Vigor 3912 versions prior to 4.3.5.2, update to version 4.3.5.2 or later. For Draytek Vigor 2925 versions up to 3.9.6, update to version 3.9.7 or later.