Home
 » ISP News » 
Sponsored

DNS Vulnerability Strikes Popular DrayTek Broadband ISP Routers

Monday, May 21st, 2018 (7:45 am) - Score 6,347
draytek 2762 broadband router

Taiwan-based telecoms kit manufacturer DrayTek has announced that a large number of their popular wireless routers are vulnerable to a new security exploit, which enables an attacker to remotely change the device’s DNS and DHCP settings in order to hijack your internet traffic or steal personal data.

The Domain Name System (DNS) works to convert IP addresses to a human readable form (e.g. 123.56.32.1 to examplefakeblah.com) and back again. Most of the time your ISP runs the DNS servers, but end-users can also access their own computers and routers to use custom DNS solutions like OpenDNS or Google’s Public DNS. Sadly hackers can also setup their own to hijack your internet traffic.

Recently a number of people using DrayTek kit spotted that somebody had changed their router’s DNS server to 38.134.121.95, which appears to have been achieved by exploiting a new weakness in the device rather than a brute-force attempt to crack admin passwords. In response DrayTek has published a new firmware update (v3.8.8.2) that should resolve the problem, although not all UK routers appear to have received this yet.

DrayTek Statement

We have become aware of security reports with DrayTek routers related to the security of web administration when managing DrayTek routers.

In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on your router. The reports appear to show that DNS settings are being altered. Specific improvements have been identified as necessary to combat this and we are in the process of producing and issuing new firmware. You should install that as soon as possible.

Until you have the new firmware installed, you should check your router’s DNS settings on your router and correct them if changed (or restore from a config backup). We also recommend only using secured (TLS1.2) connections for web admin (for local and remote admin) and disable remote admin unless needed, or until firmware is updated. The list of updated firmware versions is as follows.

The company has done a good job of publishing two useful security updates (here and here) and the second one describes in detail how to resolve the problem. DrayTek notes that their wireless access points (VigorAP series), switches (VigorSwitch series) and the Vigor 2950, 2955, 2960, 3900 and 3300 series routers are NOT affected and do not need updating (but you should still always run the latest firmware on those anyway).

List of Vulnerable Routers and New Firmware
Vigor120, version 3.8.8.2
Vigor122, version 3.8.8.2
Vigor130, version 3.8.8.2
VigorNIC 132, version 3.8.8.2
Vigor2120 Series, version 3.8.8.2
Vigor2132, version 3.8.8.2
Vigor2133, version 3.8.8.2
Vigor2760D, version 3.8.8.2
Vigor2762, version 3.8.8.2
Vigor2832, version 3.8.8.2
Vigor2860, version 3.8.8
Vigor2862, version 3.8.8.2
Vigor2862B, version 3.8.8.2
Vigor2912, version 3.8.8.2
Vigor2925, version 3.8.8.2
Vigor2926, version 3.8.8.2
Vigor2952, version 3.8.8.2
Vigor3220, version 3.8.8.2
VigorBX2000, version 3.8.8.2
VigorIPPBX2820, version 3.8.8.2
VigorIPPBX3510, version 3.8.8.2
Vigor2830nv2, version 3.8.8.2
Vigor2820, version 3.8.8.2
Vigor2710, version 3.8.8.2
Vigro2110, version 3.8.8.2
Vigro2830sb, version 3.8.8.2
Vigor2850, version 3.8.8.2
Vigor2920, version 3.8.8.2

Leave a Comment
11 Responses
  1. Avatar A_Builder

    2960 etc run a different branch of the firmware.

    Their GUI is very different from the other Draytek products.

    They are aimed more at enterprise as they are 1G/1G throughput firewalls with a lot more functionality for VPN and security management.

    What is slightly worrying is that the 130’s are vulnerable which is the modem of choice for FTTC connections. So even if your 2960 dual WAN router box is secure the DNS can still be subverted as it passes through the 130 modems.

    • Avatar DevonPaddler

      No, if the Vigor130 is bridging the DNS can’t be “subverted” at all, the risk is only when in Router mode

    • Avatar A Builder

      @DevonPaddler

      I wrongly believed the same as you did yesterday.

      You are absolutely right that there should be no risk at all if it was a pure modem which should be a totally transparent interface.

      But then why are they on the offical vulnerability list at all?

      Which set me thinking.

      So I though I would check our fleet of 130’s. I too was a bit puzzled as they are in bridge mode out of the box.

      The trouble is that there is a bit more the 130 than just a dumb modem as it can report the line stats etc back to the router dynamically (although I have disabled this by default).

      I’m sorry to say it can be subverted even when in bridge mode. I’ve just tested it on one of ours and I could redirect the DNS to another of our fixed IP’s. I don’t want to go into details on a public forum but it was not taxing to do so and took me about 15 minutes to figure out what the issue was.

      So patching the 130s is a must.

    • Avatar Aerial Installer

      I think you have something else going on – as a PPPoE modem can’t intercept DNS.

      I’ll task one of my SecOps team to look at a V130 but I sincerely think you are mistaken – if what you say is correct then that is a major security issue and you should report that to Draytek immediately.

      Not withstanding – you should regularly patch firmware for every network device.

    • Avatar DevonPaddler

      The management interface (& line stats reporting) has nothing to do with the modem

      I’m confused what you think you’ve done tbh

      Please report this to Draytek support below as if you’ve found a vulnerability they need to know as does the entire user base ASAP

      DLink modems had a similar(ish) issue some time ago when used with a static IP range but they were routing not bridging

    • Avatar Aerial Installer

      For reference, my teams view is “there is no possibility of a Vigor130 subverting, intercepting or redirecting DNS in any manner”

      Thanks

  2. Avatar DrayTek UK Support

    Dear ‘A Builder’ – we are surprised to hear this. Could you please contact us by email so that a technician can check into that, thanks.

    • Avatar A_Builder

      @DrayTek UK support

      Thanks I had contacted you in the usual way already by email IRL.

    • Avatar DrayTek UK Support

      “A Builder”; we’re not sure where you emailed – we can’t find it as we don’t know your real name 🙂 We think your findings may be mistaken on this as the Vigor 130 does NOT have the issue and there will not be updated firmware for it. Perhaps send another email to info@draytek.coyuk and put “A BUILDER” in the title so it’s easier to track, thanks.

  3. Avatar NE555

    Vigor130 isn’t a router; and the latest released software for this device is 3.8.2 (not 3.8.8.2). It was released on 27/03/2018, and the release notes don’t mention anything about DNS vulnerabilities.

    https://www.draytek.co.uk/support/downloads/vigor-130
    https://www.draytek.co.uk/support/downloads/vigor-130/send/257-vigor-130/1144-readme-v130-382

  4. Avatar A_Builder

    @Aerial Installer
    @DrayTek UK Support
    @DevonPaddler

    Egg on face time here.

    Having looked at the test rig the tech set up for me he didn’t follow my instructions.

    So the reported result is total nonsense.

    There is no issue at all with the Drayek130.

    Apologies for wasting peoples time.

    Should have checked myself before posting.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £21.00 (*22.00)
    Avg. Speed 50Mbps, Unlimited
    Gift: None
  • SSE £22.00
    Avg. Speed 35Mbps, Unlimited (FUP)
    Gift: None
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited (FUP)
    Gift: None
  • Post Office £22.90 (*37.00)
    Avg. Speed 38Mbps, Unlimited
    Gift: None
  • Direct Save Telecom £22.95 (*29.95)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2555)
  2. FTTP (2301)
  3. FTTC (1688)
  4. Building Digital UK (1628)
  5. Politics (1463)
  6. Openreach (1445)
  7. Business (1277)
  8. FTTH (1132)
  9. Statistics (1120)
  10. Mobile Broadband (1071)
  11. Fibre Optic (987)
  12. Ofcom Regulation (933)
  13. Wireless Internet (932)
  14. 4G (927)
  15. Virgin Media (876)
  16. EE (607)
  17. Sky Broadband (602)
  18. TalkTalk (588)
  19. Vodafone (543)
  20. 3G (418)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact