back to article High-end router flinger DrayTek admits to zero day in bunch of Vigor kit

Taiwanese network kit maker DrayTek has 'fessed up to a vulnerability in a large number of its routers which could allow miscreants to hijack internet traffic or steal personal data. The flaw means attackers could remotely alter DNS settings on 28 Vigor model routers. DrayTek has released a series of firmware updates …

  1. joma0711

    Had a couple of their routers and modems for a few years now. Quirky interface, and a lot of the features feel bolt-on rather than having a logically designed feature set, nevertheless they have been very reliable, and the newer ones (not based on DD-WRT, I believe) reboot VERY quickly, a bonus on a busy network (albeit home).

    The only duff one was the Vigor 120 modem (issues much documented elsewhere).

    First time I've been notified of a zero day, and was nice to be directly notified too.

    Double the cost of regular home routers indeed, but has been well worth it.

    (No I don't work for them, but I do appreciate their kit).

    1. Lee D Silver badge

      They're great.

      I use them at work and at home. Tons of features and rock-solid, and regular firmware updates. Can't fault them, or their response here.

      However, it does beg the question - who's leaving their admin panels open for the world to attack? Especially when the things have VPN built in.

      1. ds33d8977JH3%3£1

        Re: who's leaving their admin panels open for the world to attack?

        Telnet can be your friend

        http://draytek.com.vn/download/TelnetCommands.pdf

        Unless you are monitoring and accounting for every packet going in and out, just how do you tell when you have been hacked?

    2. Franco

      Expensive but IME they're generally worth it. When I was on BT they admitted their kit was garbage but also wouldn't send me a new Home Hub for free, so I was stuck on the HH3 and the Huawei modem.

      Seeing as I live in a flat I also wanted 5GHz WiFi so bought the 2860 and have carried that over to Origin fibre. Funnily enough all the issues I had with BT that they claimed were "my kit" have mysteriously disappeared....

    3. Mark 65

      One thing I found with them when I was using ADSL is that they are very stable even on shitty lines and would reconnect when required to maintain as constant a connection as possible, whereas other brands failed and needed power cycling.

      Still use their VOIP service to this day (voucher supplied with Router/Modem).

  2. LeahroyNake

    Disable remote admin

    If you really need remote web admin disable http and change the https port to something else.

    Also disable all the other remote admin options and preferably white list access via designated IP's, it's not hard with Draytek kit.

    1. Sir Runcible Spoon

      Re: Disable remote admin

      you can add mac addresses to your white-list (from locally connected devices)

  3. wyatt

    I also got the advisory on Friday, there's new firmware out to stop this from happening. Fortunately mine doesn't run anything to important and I use a separate DNS server rather than the router. Good to see communication and a fix fairly quickly, I wonder how long it's been in the wild for?

  4. Alister

    We also got the advisory on Friday, did the firmware upgrade with no dramas on all our affected routers. My understanding is that the routers were only vulnerable to this exploit if you allowed the external management interface, which by default is disabled, or SSL VPN connections, which again are off by default.

    1. Anonymous Coward
      Anonymous Coward

      TR-069 is on by default, at least on the 2860.

  5. Ol' Grumpy
    Thumb Up

    Draytek

    I've always been impressed with Draytek kit since the launch of the original USB 2200 which I and many others used to get around BT's original "1 ADSL connection, 1 PC" DSL policy :)

    Glad to see they are still patching their gear rather than selling stuff and then forgetting about it like some of the other vendors.

    1. BlartVersenwaldIII
      Happy

      Re: Draytek

      I've also been a Draytek user since the 2200 + mint green stingray days. Not affiliated but a happy long-term customer. IME they make the most reliable kit of practically anything else I've ever used.

      I've still got a positively stone-aged 2820 in service... bought in early 2008, still ticking along just fine in its branch office, latest firmware update is two months old.

  6. jay_bea

    Older Routers

    My parents have a hand-me-down Draytek router, for which updated firmware has not appeared yet. Fingers crossed that it does, although when I checked, there were no changes to any settings. That Draytek have continued to release regular updates for a 7 year old router (as of March this year, anyway), sets them apart from a lot of other makers who don't support last year's model.

    1. Fuzz

      Re: Older Routers

      Which router do they have? My 2850 has received this update but I had to go and find it on the legacy firmware page.

  7. fidodogbreath
    Thumb Up

    Story image kudos

    Hat tip to whoever found the story image. It's a veritable trope cornucopia:

    * Laptop (of course);

    * Hacker wearing hoodie AND balaclava (in case the tape over his webcam is hacked?);

    * Random wall of vaguely computer-y images in background (because, computers);

    * Magnifying glass (the better to see small bugs with);

    * All-gray color palette, except for his evil, beady little eyes ("shadowy hackers," get it?).

    No trope left behind.

    1. ds33d8977JH3%3£1

      Re: Story image kudos

      "* Hacker wearing hoodie AND balaclava (in case the tape over his webcam is hacked?);"

      Being around people is invariably enough to give away secrets as no one bothers to disable the microphones, hard to do on your smart phone admittedly, but most modern laptops monitors with the mike and camera side by side, can be popped open so you can unplug the cable to the microphone in just a few minutes.

      Lets not forget in the olden days when mobiles first started to appear, sometimes it was impossible to have a conversation because the microphone picked up so much background noise. Its physically impossible to add an algo to filter the background noise to a microphone, but further up the chain it is, so who can intercept the raw unfiltered sound in your device before the filter?

      GCHQ - Always listening to their customers.

  8. Prosthetic Conscience
    Coat

    DrayTek routers are considered high end in the UK

    HAHAHAHAH.

    Whenever there was CPE related issues at the old place it was always drayteks, especially with voice. Garbage.

    1. HighTension

      Re: DrayTek routers are considered high end in the UK

      They suck far, far, less than Zyxel. Or Netgear. The same features on Cisco you'd pay £600+. Only D-Link seems to come close in this price range.

      I think most of the problem is a complex interface but most competent admins (who understand SIP especially) can negotiate it. Have one in my work basement that uses a VoIP account over an IPSEC VPN logged into our PBX. The only time it's not worked is when the bloody BMS management people have unplugged it.

      IMHO they are really good for SIP but you need to know what you are doing to get them to work.

      The Zyxels we had that preceded these would drop ADSL, VPN, or VoIP maybe 3-4 times a week. Draytek maybe once a month, and always sync/line issues.

    2. Lee D Silver badge

      Re: DrayTek routers are considered high end in the UK

      I admin a prep school.

      One of our remote sites runs everything over VPN (so we don't have to pay for more licenses and controllers), including telephony, via a Draytek.

      Works marvellously, even if they are little clunky to configure sometimes (e.g. VLANs).

      Currently running a bunch of desktops (all servers are on main site), managed switches (all uplink via the Draytek back to main site for all traffic), all the telephones (IP to main site controllers), all the CCTV (all 4K IP cameras back to main site controllers), access control (IP back to main site) and all the ancilliary little bits that go with it.

      Ethernet connection over leased line, 4G backup, and (wonderfully) direct SIP access if we needed it and analogue backup for if that goes down too (meaning the Draytek is the critical 999 path for all phones on that site with no less than 4 ways to dial out). We could also use ADSL/VDSL on the same device but that would be slight overkill.

      Been using similar model at home for years... literally never had a problem with it. In fact I used my freebie Draytel SIP account to show the main site SIP trunk provider how a real telephony company does things because that "just works" while theirs needed all sorts of forwards and NAT helpers and proxies and junk.

      I also used their managed wireless at home and they worked just as well too.

      Either they've come on since you last used them, or you chose a spectacularly bad model.

    3. Anonymous Coward
      Anonymous Coward

      Re: DrayTek routers are considered high end in the UK

      Not sure why you're being downvoted - it's the experience I had too.

      I had a 2600 and 2800. I recall the wireless on the 2600 being pretty awful, and the 2800 having several weird bugs (particularly for ADSL2+, although at the time I couldn't get it). The best ever firmware I ran on the thing was a beta firmware.

      re: voice - my 2800VG would actually reboot occasionally if you picked the phone up and dialed anything.

      Ended up replacing it with a cheap second hand Cisco that absolutely did not miss a beat. These days I just use a Ubiquiti router with an Openreach VDSL modem.

      1. Ol' Grumpy

        Re: DrayTek routers are considered high end in the UK

        To be fair, I remember the 2800 series being pretty poor on ADSL2 type connections which were starting to become the norm when they were released. The 2820 and beyond were (are?) much better and far more stable on ADSL2 in my experience at least. We replaced far fewer of them in the field anyway.

  9. Tom Paine

    "may be possible"?

    Oh come ON, it's been mass pwnage out there since Friday at least... Kevin Beaumont demonstrating again what a good follow he is >>>

    https://twitter.com/GossiTheDog/status/997410290869432320

  10. AJ MacLeod

    Scary stuff

    I wasn't notified about this one for some reason, but have just finished a round of checks and upgrades on most of the 2860s and 2862s in my care - several of the 2860s seem to have been hit, with the DNS server settings changed in the LAN sections. Always disturbing when such a central bit of networking gear is hacked, hopefully that's all that was done but who really knows?

    Definitely no default passwords in use here, usually all but HTTPS access to remote admin blocked.

    Generally I'm a big fan of these routers for SMEs as they've proven themselves incredibly reliable over the past decade and more, plus the firmware updates keep coming long after the initial purchase... I suppose such a popular router was always going to be a prime target.

    1. phuzz Silver badge

      Re: Scary stuff

      The remote access on ours is locked down to a whitelist of IPs, and that seems to have done the job for us.

      Oh, and I've just noticed they've released the new firmware for the 2830, so I know what I'm spending the rest of my afternoon doing (we have about thirty odd at remote sites).

      1. wyatt

        Re: Scary stuff

        I'd be interested to know how many weren't affected who had remote management enabled but without a whitelist/specific source specified. I also had 443 open for remote management (specified URL only) and SSL VPN (any address with the right credentials). I wonder if being unable to connect via IP was what saved me? If they can change the DNS setting, could they also change the firewall rules which would have allowed their address to be reached, otherwise I'd have been protected by them and everything would have stopped.

        I'm looking forward to finding out more.

  11. razorfishsl

    Same shape and tooling they used 15 years ago......

    sure i still have that one propping up the missing foot on my wardrobe.

    Their top of the line Switch is still only 1000 SFP ,the kind of crap that poorly educated Technicians would use.

  12. eldakka
    Facepalm

    I have a 2910, it isn't on the list but hasn't had any firmware updates since 2015.

    So I'm not sure if it isn't affected or, more likely, it's too old for them to have tested or patched. Which is not unreasonable given the age of the 2910.

    But it's my own fault, I bought an Ubiquiti Edgerouter 12 months ago to replace it with, and that's been sitting on a table, powered on but not connected, for that entire time waiting for me to configure it...

    Guess that's a job for me this weekend!

  13. -martin-

    They also have a bug in all their routers with connection tracking. It is possible to have two connections randomly cross over - meaning traffic for one connection goes to another connection.

    I found it by having around 100 devices with TLS connections to cloud server. Each of these devices also connected (TLS) every 3 minutes to a different server to send a small packet and disconnect. After some time the TLS connections got crossed resulting in confusion and ultimately RESETs being sent and connections dropped.

    Informed DrayTek, along with a ton of wireshark dumps from inside, outside, and cloudside but they didn't do anything about it...

    1. churchers

      We had a problem a few years ago where NAT was just using the original source port for its nat pseudo port. The network had a bunch of SIP phones all using 5060 as their source port. All the external traffic ended up having {public-ip}:5060 as the source and the router would just send all replies to the first phone in its nat table. You could clearly see this and the obvious problem it would cause in the nat sessions table - multiple entries with exactly the same external ip and port. Never got anywhere trying to get a fix.

  14. Baldeep

    I've used these routers for the last 12 years. It's the first time I came across an urgent update.

    I got the email which was useful. Updated my router straight away.

    Would I use another brand, unlikely. These are solid units, with great features, strong wifi and all round work in an environment with so many wifi devices streaming video.

  15. churchers

    High end?

    We used Draytek for a long time and were perfectly happy apart from the odd issue but they're not even mid-range kit. They are generally ok for the price range though and would choose it over other consumer brands like Netgear/Dlink. I do find some of the interface, such as firewall config, a pita.

    I use Mikrotik a lot these days. Even though most their kit is actually cheaper than Draytek, it's rock solid and functions far more like a true router. The Ubiquiti kit is probably alright. We use a lot of their outdoor wireless stuff. We did use Tough Switches though and found them to be useless. They seemed to put more effort into a fancy web interface than the actual performance and stability of the device.

  16. Macca Pukka

    First zero day pwnage I can remember they've ever had.

    I think they are great, nowhere near the quality of a proper stand-alone router but as an all in one unit with multiple wans for concurrent ADSL and 4G, noisy lines being so fault tolerant with CRC etc they suit my clients perfectly - light years better than the stock ISP garbage such as *T allegedly.

    I've got a couple of dozen of the 2825 but mostly 2860 in the field and only one got pwned but I had to go to the site to fix it today. It's a nuisance hack they could have done far worse! I always leave direct router remote access disabled and use a computer on the lan to log in but this one I'm sure got it's settings changed and enabled by the VOIP techs who run a similar Draytek to run their phones from a separate ADSL line which gets its DHCP from ours along with the handsets. After discussions with the (unnamed) telco's techs who run 2k of these thinking that a different remote admin port that they would be immune to getting pwned, after 2 phone calls this afternoon and evening they are now currently upgrading all of them ;-)

  17. Chris Walsh

    2850n

    We have a bunch of 2850n units but these are now considered "legacy products" and there hasn't been a firmware update release for it (last release was January 2017). Is that because this "legacy" product is not vulnerable or that they're just not supporting it?

    1. AJ MacLeod

      Re: 2850n

      Have a look at the International ftp site, looks like 3.8.3.2 is available for the 2850 ( http://www.draytek.com.tw/ftp/Vigor2850/Firmware/v3.8.8.2/ )

      The firmware on the international site isn't always necessarily identical to that on the UK site though so I'd try it on your least important router first just in case!

      (Edit - just realised I'm making an assumption that you're in the UK - even if not, the readme seems to indicate this firmware covers a wide range of 2850 variants.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like