Draytek issued notification and updates to the below platforms mid to late last year including some models no longer officially supported. 


Over the last few days there has been a marked uptick in reports of issues as these vulnerabilities are now being actively exploited in the wild on unpatched and older systems. As far as we can tell, the problem appears to be a combination of known exploits from older, vulnerable firmware versions, and Denial of Service attacks


Notification and firmware versions that included fixes for the vulnerabilities were released at the time, and re-notified again in early March to encourage users to check the firmware version they are running. https://www.draytek.com/about/security-advisory/ 


Please check to download and upgrade the firmware per model as soon as possible to ensure the security of your system. https://www.draytek.com/support/resources/routers#version 

 

Vigor2620 LTE

3.9.9.1 or later

VigorLTE 200n

3.9.9.1 or later

Vigor2133

3.9.9.2 or later

Vigor2135

4.4.5.5 or later

Vigor2762

3.9.9.2 or later

Vigor2765

4.4.5.5 or later

Vigor2766

4.4.5.5 or later

Vigor2832

3.9.9.2 or later

Vigor2860 / 2860 LTE

3.9.8.3 or later

Vigor2862 / 2862 LTE

3.9.9.8 or later

Vigor2865 / 2865 LTE / 2865L-5G

4.4.5.8 or later

Vigor2866 / 2866 LTE

4.4.5.8 or later

Vigor2925 / 2925 LTE

3.9.8.3 or later

Vigor2926 / 2926 LTE

3.9.9.8 or later

Vigor2927 / 2927 LTE / 2927L-5G

4.4.5.8 or later

Vigor2962

4.3.2.9 or later

4.4.3.2 or later

Vigor3910

4.3.2.9 or later

4.4.3.2 or later

Vigor3912

4.3.6.2 or later

4.4.3.2 or later


 

What if my router is too old to be included in the published fixes?


If your router is not on this list as it’s too far out of the supported lifecycle it’s possible to reduce the attack surface by disabling services exposed to the internet. This is not a fix as such, but reduces the potential impact while equipment is upgraded to more modern platforms. 

 

Example for DV2120


Apart from installing the latest available firmware, recommendations for the 2120 specifically are;

 

1. Disable the SSL VPN (and other VPN types if not in use):


A screenshot of a computer

AI-generated content may be incorrect.

 

Also by removing the binding of it to the WAN ports


A screenshot of a computer

AI-generated content may be incorrect.

 

If it can't be disabled because it's in use / required, then change the default port away from 443 to something else, above port 1000, eg. 30948

 

2. Disable remote management from the Internet, and ping from the Internet:


A screenshot of a computer

AI-generated content may be incorrect.

 

Again, if this cannot be disabled because it is in use / required, then enforce HTTPS and change the HTTPS port to something random.

 

3. Enable DoS Defence, particularly SYN flood and SYN fragment defence


A screenshot of a computer

AI-generated content may be incorrect.


Note that UDP flood defence can block SIP calls. If your site uses VoIP it might pay to either leave this disabled or adjust triggering as necessary.