Home
 » ISP News » 
Sponsored Links

DNS Vulnerability Strikes Popular DrayTek Broadband ISP Routers

Monday, May 21st, 2018 (7:45 am) - Score 7,196

Taiwan-based telecoms kit manufacturer DrayTek has announced that a large number of their popular wireless routers are vulnerable to a new security exploit, which enables an attacker to remotely change the device’s DNS and DHCP settings in order to hijack your internet traffic or steal personal data.

The Domain Name System (DNS) works to convert IP addresses to a human readable form (e.g. 123.56.32.1 to examplefakeblah.com) and back again. Most of the time your ISP runs the DNS servers, but end-users can also access their own computers and routers to use custom DNS solutions like OpenDNS or Google’s Public DNS. Sadly hackers can also setup their own to hijack your internet traffic.

Recently a number of people using DrayTek kit spotted that somebody had changed their router’s DNS server to 38.134.121.95, which appears to have been achieved by exploiting a new weakness in the device rather than a brute-force attempt to crack admin passwords. In response DrayTek has published a new firmware update (v3.8.8.2) that should resolve the problem, although not all UK routers appear to have received this yet.

DrayTek Statement

We have become aware of security reports with DrayTek routers related to the security of web administration when managing DrayTek routers.

In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on your router. The reports appear to show that DNS settings are being altered. Specific improvements have been identified as necessary to combat this and we are in the process of producing and issuing new firmware. You should install that as soon as possible.

Until you have the new firmware installed, you should check your router’s DNS settings on your router and correct them if changed (or restore from a config backup). We also recommend only using secured (TLS1.2) connections for web admin (for local and remote admin) and disable remote admin unless needed, or until firmware is updated. The list of updated firmware versions is as follows.

The company has done a good job of publishing two useful security updates (here and here) and the second one describes in detail how to resolve the problem. DrayTek notes that their wireless access points (VigorAP series), switches (VigorSwitch series) and the Vigor 2950, 2955, 2960, 3900 and 3300 series routers are NOT affected and do not need updating (but you should still always run the latest firmware on those anyway).

List of Vulnerable Routers and New Firmware
Vigor120, version 3.8.8.2
Vigor122, version 3.8.8.2
Vigor130, version 3.8.8.2
VigorNIC 132, version 3.8.8.2
Vigor2120 Series, version 3.8.8.2
Vigor2132, version 3.8.8.2
Vigor2133, version 3.8.8.2
Vigor2760D, version 3.8.8.2
Vigor2762, version 3.8.8.2
Vigor2832, version 3.8.8.2
Vigor2860, version 3.8.8
Vigor2862, version 3.8.8.2
Vigor2862B, version 3.8.8.2
Vigor2912, version 3.8.8.2
Vigor2925, version 3.8.8.2
Vigor2926, version 3.8.8.2
Vigor2952, version 3.8.8.2
Vigor3220, version 3.8.8.2
VigorBX2000, version 3.8.8.2
VigorIPPBX2820, version 3.8.8.2
VigorIPPBX3510, version 3.8.8.2
Vigor2830nv2, version 3.8.8.2
Vigor2820, version 3.8.8.2
Vigor2710, version 3.8.8.2
Vigro2110, version 3.8.8.2
Vigro2830sb, version 3.8.8.2
Vigor2850, version 3.8.8.2
Vigor2920, version 3.8.8.2

Tags:
Mark-Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and .
Search ISP News
Search ISP Listings
Search ISP Reviews
Comments
11 Responses
  1. Avatar photo A_Builder says:

    2960 etc run a different branch of the firmware.

    Their GUI is very different from the other Draytek products.

    They are aimed more at enterprise as they are 1G/1G throughput firewalls with a lot more functionality for VPN and security management.

    What is slightly worrying is that the 130’s are vulnerable which is the modem of choice for FTTC connections. So even if your 2960 dual WAN router box is secure the DNS can still be subverted as it passes through the 130 modems.

    1. Avatar photo DevonPaddler says:

      No, if the Vigor130 is bridging the DNS can’t be “subverted” at all, the risk is only when in Router mode

    2. Avatar photo A Builder says:

      @DevonPaddler

      I wrongly believed the same as you did yesterday.

      You are absolutely right that there should be no risk at all if it was a pure modem which should be a totally transparent interface.

      But then why are they on the offical vulnerability list at all?

      Which set me thinking.

      So I though I would check our fleet of 130’s. I too was a bit puzzled as they are in bridge mode out of the box.

      The trouble is that there is a bit more the 130 than just a dumb modem as it can report the line stats etc back to the router dynamically (although I have disabled this by default).

      I’m sorry to say it can be subverted even when in bridge mode. I’ve just tested it on one of ours and I could redirect the DNS to another of our fixed IP’s. I don’t want to go into details on a public forum but it was not taxing to do so and took me about 15 minutes to figure out what the issue was.

      So patching the 130s is a must.

    3. Avatar photo Aerial Installer says:

      I think you have something else going on – as a PPPoE modem can’t intercept DNS.

      I’ll task one of my SecOps team to look at a V130 but I sincerely think you are mistaken – if what you say is correct then that is a major security issue and you should report that to Draytek immediately.

      Not withstanding – you should regularly patch firmware for every network device.

    4. Avatar photo DevonPaddler says:

      The management interface (& line stats reporting) has nothing to do with the modem

      I’m confused what you think you’ve done tbh

      Please report this to Draytek support below as if you’ve found a vulnerability they need to know as does the entire user base ASAP

      DLink modems had a similar(ish) issue some time ago when used with a static IP range but they were routing not bridging

    5. Avatar photo Aerial Installer says:

      For reference, my teams view is “there is no possibility of a Vigor130 subverting, intercepting or redirecting DNS in any manner”

      Thanks

  2. Avatar photo DrayTek UK Support says:

    Dear ‘A Builder’ – we are surprised to hear this. Could you please contact us by email so that a technician can check into that, thanks.

    1. Avatar photo A_Builder says:

      @DrayTek UK support

      Thanks I had contacted you in the usual way already by email IRL.

    2. Avatar photo DrayTek UK Support says:

      “A Builder”; we’re not sure where you emailed – we can’t find it as we don’t know your real name 🙂 We think your findings may be mistaken on this as the Vigor 130 does NOT have the issue and there will not be updated firmware for it. Perhaps send another email to info@draytek.coyuk and put “A BUILDER” in the title so it’s easier to track, thanks.

  3. Avatar photo NE555 says:

    Vigor130 isn’t a router; and the latest released software for this device is 3.8.2 (not 3.8.8.2). It was released on 27/03/2018, and the release notes don’t mention anything about DNS vulnerabilities.

    https://www.draytek.co.uk/support/downloads/vigor-130
    https://www.draytek.co.uk/support/downloads/vigor-130/send/257-vigor-130/1144-readme-v130-382

  4. Avatar photo A_Builder says:

    @Aerial Installer
    @DrayTek UK Support
    @DevonPaddler

    Egg on face time here.

    Having looked at the test rig the tech set up for me he didn’t follow my instructions.

    So the reported result is total nonsense.

    There is no issue at all with the Drayek130.

    Apologies for wasting peoples time.

    Should have checked myself before posting.

Comments are closed

Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £24.00
132Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £27.99
145Mbps
Gift: None
Zen Internet UK ISP Logo
Zen Internet £28.00 - 35.00
100Mbps
Gift: None
Sky Broadband UK ISP Logo
100Mbps
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £15.00
150Mbps
Gift: None
YouFibre UK ISP Logo
YouFibre £19.99
150Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
BeFibre UK ISP Logo
BeFibre £21.00
150Mbps
Gift: £25 Love2Shop Card
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Large Availability | View All
The Top 15 Category Tags
  1. FTTP (5445)
  2. BT (3497)
  3. Politics (2513)
  4. Openreach (2285)
  5. Business (2242)
  6. Building Digital UK (2227)
  7. FTTC (2040)
  8. Mobile Broadband (1955)
  9. Statistics (1770)
  10. 4G (1649)
  11. Virgin Media (1603)
  12. Ofcom Regulation (1447)
  13. Wireless Internet (1384)
  14. Fibre Optic (1384)
  15. FTTH (1380)
Promotion
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact
Mastodon