Customers using several high-end fibre (SFP / VPN Firewall) routers from popular Taiwan-based manufacturer DrayTek, specifically their Vigor 3910 (retailing at c.£690) and Vigor 2962 (c.£380) models, need to grab the latest security update ASAP. Otherwise, they risk leaving themselves exposed to a “critical” new exploit.
The vulnerability itself relates to the WebGUI system software inside the router, which it was found could be exploited if Remote Management was enabled without an Access Control List (ACL) in place. In short, the router’s admin and Virtual Private Network (VPN) credentials could be discovered, leaving the network operator exposed to an attack.
Users of affected models are being advised to upgrade to firmware v3.9.6.3 or later as soon as possible, and you can find the UK / Ireland downloads for that here.
DrayTek Statement
The exploit could allow an attacker to discover admin and VPN credentials. As an additional precaution, we recommend that router admin passwords and any VPN passwords & PSKs are updated. We’re not aware of any published PoC (proof-of-concepts) relating to this vulnerability but are recommending the post upgrade steps to update credentials as a prudent action. After upgrading, do check that the web interface now shows the new firmware version. Always back up your config before doing an upgrade.
If you’re unable to upgrade your firmware immediately, then it’s wise to disable remote access to your device or use an ACL for remote access. Credits to James for spotting.
At least Draytek seem to have a reactive approach to security bugs, compared to some! *cough* netgear, dlink, ubiquiti *cough*
Draytek released a new firmware which did not recognise my Draytek DNSS licence, emailed them and 2 days later they updated the firmware to fix
Odd really.
The 2962 is a development of the 2960 (which we have loads of) but has no vulnerability – allegedly.
Have to say the 2960’s have been very reliable for us on 1G connections with failover to 4G or WAN2 working pretty well.
Odd things do sometimes happen in the routing tables and I am not sold on the VPN and prefer to pass through to a Synology or something similar behind it.
In fairness to DrayTek, they proactively emailed me about the security issue over the weekend.
Have to say, I have moments when I try to leave Draytek, but I always come back with my tail between my legs, had a 3910 for over a year as it takes my two 1Gbe connections and seamlessly feeds them into my 10Gbe network, brilliant route policy configuration and firewall is rock solid, add in Globalview and its a good package. Yes its expensive for home use but its the only thing that works for me.
I also had email over the weekend, but had already spotted the release anyway day before.
ITT: Draytek employees talking about how great Draytek is
Incorrect statement Randy, try again.
I have no affiliation to DrayTek, just a happy customer for 6+ years.
Yeah I do like Draytek kit, I have a 2862 which I always keep on the latest f/w and fortunately it doesn’t appear to be affected by this latest hack. I’ll probably have to upgrade to a 2865 when I get my 1Gb connection