Home
 » ISP News » 
Sponsored Links

Serious Security Vulnerability Hits DrayTek’s UK Fibre Routers

Monday, Jul 12th, 2021 (2:08 pm) - Score 3,384
DrayTek-3910-Fibre-Router

Customers using several high-end fibre (SFP / VPN Firewall) routers from popular Taiwan-based manufacturer DrayTek, specifically their Vigor 3910 (retailing at c.£690) and Vigor 2962 (c.£380) models, need to grab the latest security update ASAP. Otherwise, they risk leaving themselves exposed to a “critical” new exploit.

The vulnerability itself relates to the WebGUI system software inside the router, which it was found could be exploited if Remote Management was enabled without an Access Control List (ACL) in place. In short, the router’s admin and Virtual Private Network (VPN) credentials could be discovered, leaving the network operator exposed to an attack.

Users of affected models are being advised to upgrade to firmware v3.9.6.3 or later as soon as possible, and you can find the UK / Ireland downloads for that here.

DrayTek Statement

The exploit could allow an attacker to discover admin and VPN credentials. As an additional precaution, we recommend that router admin passwords and any VPN passwords & PSKs are updated. We’re not aware of any published PoC (proof-of-concepts) relating to this vulnerability but are recommending the post upgrade steps to update credentials as a prudent action. After upgrading, do check that the web interface now shows the new firmware version. Always back up your config before doing an upgrade.

If you’re unable to upgrade your firmware immediately, then it’s wise to disable remote access to your device or use an ACL for remote access. Credits to James for spotting.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Tags:
Mark-Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and .
Search ISP News
Search ISP Listings
Search ISP Reviews
Comments
9 Responses
  1. Avatar photo S B says:

    At least Draytek seem to have a reactive approach to security bugs, compared to some! *cough* netgear, dlink, ubiquiti *cough*

    1. Avatar photo John H says:

      Draytek released a new firmware which did not recognise my Draytek DNSS licence, emailed them and 2 days later they updated the firmware to fix

    2. Avatar photo A_Builder says:

      Odd really.

      The 2962 is a development of the 2960 (which we have loads of) but has no vulnerability – allegedly.

      Have to say the 2960’s have been very reliable for us on 1G connections with failover to 4G or WAN2 working pretty well.

      Odd things do sometimes happen in the routing tables and I am not sold on the VPN and prefer to pass through to a Synology or something similar behind it.

  2. Avatar photo Alex E says:

    In fairness to DrayTek, they proactively emailed me about the security issue over the weekend.

  3. Avatar photo RR says:

    Have to say, I have moments when I try to leave Draytek, but I always come back with my tail between my legs, had a 3910 for over a year as it takes my two 1Gbe connections and seamlessly feeds them into my 10Gbe network, brilliant route policy configuration and firewall is rock solid, add in Globalview and its a good package. Yes its expensive for home use but its the only thing that works for me.
    I also had email over the weekend, but had already spotted the release anyway day before.

  4. Avatar photo Randy says:

    ITT: Draytek employees talking about how great Draytek is

    1. Avatar photo RR says:

      Incorrect statement Randy, try again.

    2. Avatar photo Alex E says:

      I have no affiliation to DrayTek, just a happy customer for 6+ years.

  5. Avatar photo Notadraytekemployee says:

    Yeah I do like Draytek kit, I have a 2862 which I always keep on the latest f/w and fortunately it doesn’t appear to be affected by this latest hack. I’ll probably have to upgrade to a 2865 when I get my 1Gb connection

Comments are closed

Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £24.00
132Mbps
Gift: None
Shell Energy UK ISP Logo
Shell Energy £26.99
109Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £27.99
145Mbps
Gift: None
Zen Internet UK ISP Logo
Zen Internet £28.00 - 35.00
100Mbps
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £15.00
150Mbps
Gift: None
YouFibre UK ISP Logo
YouFibre £19.99
150Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
BeFibre UK ISP Logo
BeFibre £21.00
150Mbps
Gift: £25 Love2Shop Card
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Large Availability | View All
The Top 15 Category Tags
  1. FTTP (5473)
  2. BT (3505)
  3. Politics (2525)
  4. Openreach (2291)
  5. Business (2251)
  6. Building Digital UK (2234)
  7. FTTC (2041)
  8. Mobile Broadband (1961)
  9. Statistics (1780)
  10. 4G (1654)
  11. Virgin Media (1608)
  12. Ofcom Regulation (1451)
  13. Fibre Optic (1392)
  14. Wireless Internet (1386)
  15. FTTH (1381)

Helpful ISP Guides and Tips

Promotion
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact
Mastodon