Taiwan-based telecoms kit manufacturer DrayTek has announced that a large number of their popular wireless routers are vulnerable to a new security exploit, which enables an attacker to remotely change the device’s DNS and DHCP settings in order to hijack your internet traffic or steal personal data.
The Domain Name System (DNS) works to convert IP addresses to a human readable form (e.g. 123.56.32.1 to examplefakeblah.com) and back again. Most of the time your ISP runs the DNS servers, but end-users can also access their own computers and routers to use custom DNS solutions like OpenDNS or Google’s Public DNS. Sadly hackers can also setup their own to hijack your internet traffic.
Recently a number of people using DrayTek kit spotted that somebody had changed their router’s DNS server to 38.134.121.95, which appears to have been achieved by exploiting a new weakness in the device rather than a brute-force attempt to crack admin passwords. In response DrayTek has published a new firmware update (v3.8.8.2) that should resolve the problem, although not all UK routers appear to have received this yet.
DrayTek Statement
We have become aware of security reports with DrayTek routers related to the security of web administration when managing DrayTek routers.
In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on your router. The reports appear to show that DNS settings are being altered. Specific improvements have been identified as necessary to combat this and we are in the process of producing and issuing new firmware. You should install that as soon as possible.
Until you have the new firmware installed, you should check your router’s DNS settings on your router and correct them if changed (or restore from a config backup). We also recommend only using secured (TLS1.2) connections for web admin (for local and remote admin) and disable remote admin unless needed, or until firmware is updated. The list of updated firmware versions is as follows.
The company has done a good job of publishing two useful security updates (here and here) and the second one describes in detail how to resolve the problem. DrayTek notes that their wireless access points (VigorAP series), switches (VigorSwitch series) and the Vigor 2950, 2955, 2960, 3900 and 3300 series routers are NOT affected and do not need updating (but you should still always run the latest firmware on those anyway).
List of Vulnerable Routers and New Firmware
Vigor120, version 3.8.8.2
Vigor122, version 3.8.8.2
Vigor130, version 3.8.8.2
VigorNIC 132, version 3.8.8.2
Vigor2120 Series, version 3.8.8.2
Vigor2132, version 3.8.8.2
Vigor2133, version 3.8.8.2
Vigor2760D, version 3.8.8.2
Vigor2762, version 3.8.8.2
Vigor2832, version 3.8.8.2
Vigor2860, version 3.8.8
Vigor2862, version 3.8.8.2
Vigor2862B, version 3.8.8.2
Vigor2912, version 3.8.8.2
Vigor2925, version 3.8.8.2
Vigor2926, version 3.8.8.2
Vigor2952, version 3.8.8.2
Vigor3220, version 3.8.8.2
VigorBX2000, version 3.8.8.2
VigorIPPBX2820, version 3.8.8.2
VigorIPPBX3510, version 3.8.8.2
Vigor2830nv2, version 3.8.8.2
Vigor2820, version 3.8.8.2
Vigor2710, version 3.8.8.2
Vigro2110, version 3.8.8.2
Vigro2830sb, version 3.8.8.2
Vigor2850, version 3.8.8.2
Vigor2920, version 3.8.8.2
2960 etc run a different branch of the firmware.
Their GUI is very different from the other Draytek products.
They are aimed more at enterprise as they are 1G/1G throughput firewalls with a lot more functionality for VPN and security management.
What is slightly worrying is that the 130’s are vulnerable which is the modem of choice for FTTC connections. So even if your 2960 dual WAN router box is secure the DNS can still be subverted as it passes through the 130 modems.
No, if the Vigor130 is bridging the DNS can’t be “subverted” at all, the risk is only when in Router mode
@DevonPaddler
I wrongly believed the same as you did yesterday.
You are absolutely right that there should be no risk at all if it was a pure modem which should be a totally transparent interface.
But then why are they on the offical vulnerability list at all?
Which set me thinking.
So I though I would check our fleet of 130’s. I too was a bit puzzled as they are in bridge mode out of the box.
The trouble is that there is a bit more the 130 than just a dumb modem as it can report the line stats etc back to the router dynamically (although I have disabled this by default).
I’m sorry to say it can be subverted even when in bridge mode. I’ve just tested it on one of ours and I could redirect the DNS to another of our fixed IP’s. I don’t want to go into details on a public forum but it was not taxing to do so and took me about 15 minutes to figure out what the issue was.
So patching the 130s is a must.
I think you have something else going on – as a PPPoE modem can’t intercept DNS.
I’ll task one of my SecOps team to look at a V130 but I sincerely think you are mistaken – if what you say is correct then that is a major security issue and you should report that to Draytek immediately.
Not withstanding – you should regularly patch firmware for every network device.
The management interface (& line stats reporting) has nothing to do with the modem
I’m confused what you think you’ve done tbh
Please report this to Draytek support below as if you’ve found a vulnerability they need to know as does the entire user base ASAP
DLink modems had a similar(ish) issue some time ago when used with a static IP range but they were routing not bridging
For reference, my teams view is “there is no possibility of a Vigor130 subverting, intercepting or redirecting DNS in any manner”
Thanks
Dear ‘A Builder’ – we are surprised to hear this. Could you please contact us by email so that a technician can check into that, thanks.
@DrayTek UK support
Thanks I had contacted you in the usual way already by email IRL.
“A Builder”; we’re not sure where you emailed – we can’t find it as we don’t know your real name 🙂 We think your findings may be mistaken on this as the Vigor 130 does NOT have the issue and there will not be updated firmware for it. Perhaps send another email to info@draytek.coyuk and put “A BUILDER” in the title so it’s easier to track, thanks.
Vigor130 isn’t a router; and the latest released software for this device is 3.8.2 (not 3.8.8.2). It was released on 27/03/2018, and the release notes don’t mention anything about DNS vulnerabilities.
https://www.draytek.co.uk/support/downloads/vigor-130
https://www.draytek.co.uk/support/downloads/vigor-130/send/257-vigor-130/1144-readme-v130-382
@Aerial Installer
@DrayTek UK Support
@DevonPaddler
Egg on face time here.
Having looked at the test rig the tech set up for me he didn’t follow my instructions.
So the reported result is total nonsense.
There is no issue at all with the Drayek130.
Apologies for wasting peoples time.
Should have checked myself before posting.