Draytek issued notification and updates to the below platforms mid to late last year including some models no longer officially supported.
Over the last few days there has been a marked uptick in reports of issues as these vulnerabilities are now being actively exploited in the wild on unpatched and older systems. As far as we can tell, the problem appears to be a combination of known exploits from older, vulnerable firmware versions, and Denial of Service attacks
Notification and firmware versions that included fixes for the vulnerabilities were released at the time, and re-notified again in early March to encourage users to check the firmware version they are running. https://www.draytek.com/about/security-advisory/
Please check to download and upgrade the firmware per model as soon as possible to ensure the security of your system. https://www.draytek.com/support/resources/routers#version
Vigor2620 LTE | 3.9.9.1 or later |
VigorLTE 200n | 3.9.9.1 or later |
Vigor2133 | 3.9.9.2 or later |
Vigor2135 | 4.4.5.5 or later |
Vigor2762 | 3.9.9.2 or later |
Vigor2765 | 4.4.5.5 or later |
Vigor2766 | 4.4.5.5 or later |
Vigor2832 | 3.9.9.2 or later |
Vigor2860 / 2860 LTE | 3.9.8.3 or later |
Vigor2862 / 2862 LTE | 3.9.9.8 or later |
Vigor2865 / 2865 LTE / 2865L-5G | 4.4.5.8 or later |
Vigor2866 / 2866 LTE | 4.4.5.8 or later |
Vigor2925 / 2925 LTE | 3.9.8.3 or later |
Vigor2926 / 2926 LTE | 3.9.9.8 or later |
Vigor2927 / 2927 LTE / 2927L-5G | 4.4.5.8 or later |
Vigor2962 | 4.3.2.9 or later 4.4.3.2 or later |
Vigor3910 | 4.3.2.9 or later 4.4.3.2 or later |
Vigor3912 | 4.3.6.2 or later 4.4.3.2 or later |
What if my router is too old to be included in the published fixes?
If your router is not on this list as it’s too far out of the supported lifecycle it’s possible to reduce the attack surface by disabling services exposed to the internet. This is not a fix as such, but reduces the potential impact while equipment is upgraded to more modern platforms.
Example for DV2120
Apart from installing the latest available firmware, recommendations for the 2120 specifically are;
1. Disable the SSL VPN (and other VPN types if not in use):
Also by removing the binding of it to the WAN ports
If it can't be disabled because it's in use / required, then change the default port away from 443 to something else, above port 1000, eg. 30948
2. Disable remote management from the Internet, and ping from the Internet:
Again, if this cannot be disabled because it is in use / required, then enforce HTTPS and change the HTTPS port to something random.
3. Enable DoS Defence, particularly SYN flood and SYN fragment defence
Note that UDP flood defence can block SIP calls. If your site uses VoIP it might pay to either leave this disabled or adjust triggering as necessary.