Home
 » ISP News » 
Sponsored

Serious Security Vulnerability Hits DrayTek’s UK Fibre Routers

Monday, July 12th, 2021 (2:08 pm) - Score 2,568
DrayTek-3910-Fibre-Router

Customers using several high-end fibre (SFP / VPN Firewall) routers from popular Taiwan-based manufacturer DrayTek, specifically their Vigor 3910 (retailing at c.£690) and Vigor 2962 (c.£380) models, need to grab the latest security update ASAP. Otherwise, they risk leaving themselves exposed to a “critical” new exploit.

The vulnerability itself relates to the WebGUI system software inside the router, which it was found could be exploited if Remote Management was enabled without an Access Control List (ACL) in place. In short, the router’s admin and Virtual Private Network (VPN) credentials could be discovered, leaving the network operator exposed to an attack.

Users of affected models are being advised to upgrade to firmware v3.9.6.3 or later as soon as possible, and you can find the UK / Ireland downloads for that here.

DrayTek Statement

The exploit could allow an attacker to discover admin and VPN credentials. As an additional precaution, we recommend that router admin passwords and any VPN passwords & PSKs are updated. We’re not aware of any published PoC (proof-of-concepts) relating to this vulnerability but are recommending the post upgrade steps to update credentials as a prudent action. After upgrading, do check that the web interface now shows the new firmware version. Always back up your config before doing an upgrade.

If you’re unable to upgrade your firmware immediately, then it’s wise to disable remote access to your device or use an ACL for remote access. Credits to James for spotting.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Tags:
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
9 Responses
  1. S B says:

    At least Draytek seem to have a reactive approach to security bugs, compared to some! *cough* netgear, dlink, ubiquiti *cough*

    1. John H says:

      Draytek released a new firmware which did not recognise my Draytek DNSS licence, emailed them and 2 days later they updated the firmware to fix

    2. A_Builder says:

      Odd really.

      The 2962 is a development of the 2960 (which we have loads of) but has no vulnerability – allegedly.

      Have to say the 2960’s have been very reliable for us on 1G connections with failover to 4G or WAN2 working pretty well.

      Odd things do sometimes happen in the routing tables and I am not sold on the VPN and prefer to pass through to a Synology or something similar behind it.

  2. Alex E says:

    In fairness to DrayTek, they proactively emailed me about the security issue over the weekend.

  3. RR says:

    Have to say, I have moments when I try to leave Draytek, but I always come back with my tail between my legs, had a 3910 for over a year as it takes my two 1Gbe connections and seamlessly feeds them into my 10Gbe network, brilliant route policy configuration and firewall is rock solid, add in Globalview and its a good package. Yes its expensive for home use but its the only thing that works for me.
    I also had email over the weekend, but had already spotted the release anyway day before.

  4. Randy says:

    ITT: Draytek employees talking about how great Draytek is

    1. RR says:

      Incorrect statement Randy, try again.

    2. Alex E says:

      I have no affiliation to DrayTek, just a happy customer for 6+ years.

  5. Notadraytekemployee says:

    Yeah I do like Draytek kit, I have a 2862 which I always keep on the latest f/w and fortunately it doesn’t appear to be affected by this latest hack. I’ll probably have to upgrade to a 2865 when I get my 1Gb connection

Leave a Reply to Randy Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Ultrafast ISPs
  • Vodafone £23.50 (*26.50)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Gigaclear £24.00 (*49.00)
    Speed: 300Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: Promo Code: ROKUGIFT
  • Community Fibre £27.50 (*32.50)
    Speed: 200Mbps, Unlimited
    Gift: First 6 Months Free
  • Virgin Media £28.00 (*52.00)
    Speed: 108Mbps, Unlimited
    Gift: None
Large Availability | View All
Cheapest Superfast ISPs
  • Vodafone £19.50 (*22.50)
    Speed 38Mbps, Unlimited
    Gift: None
  • NOW £20.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • Hyperoptic £20.00 (*25.00)
    Speed 50Mbps, Unlimited
    Gift: Promo Code: ROKUGIFT
  • TalkTalk £21.00 (*29.95)
    Speed 38Mbps, Unlimited
    Gift: None
  • Shell Energy £21.99 (*30.99)
    Speed 35Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3667)
  2. BT (3044)
  3. Politics (1975)
  4. Building Digital UK (1945)
  5. FTTC (1897)
  6. Openreach (1862)
  7. Business (1717)
  8. Mobile Broadband (1501)
  9. Statistics (1430)
  10. FTTH (1367)
  11. 4G (1295)
  12. Virgin Media (1196)
  13. Fibre Optic (1184)
  14. Wireless Internet (1176)
  15. Ofcom Regulation (1167)
  16. Vodafone (859)
  17. EE (845)
  18. 5G (792)
  19. TalkTalk (781)
  20. Sky Broadband (757)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact