Draytek routers affected by Zeroday vuln

Thread: Draytek routers affected by Zeroday vuln

  1. evilsatan's Avatar

    evilsatan said:

    Default Draytek routers affected by Zeroday vuln

    Click the link under the quote for screen shots too, pasted the info in case the link dies as took me a while to access the page over the weekend.

    Security Advisory: CSRF & DNS Changed Web Interface Attacks


    TL;DR - Check the DNS settings on your DrayTek router and install new firmware. Please read all of this advisory.

    In May 2018, we became aware of new attacks against web-enabled devices, which includes DrayTek routers. The recent attacks have attempted to change DNS settings of routers. We are in the process of releasing updated firmware, and will issue each ASAP to address this issue. You should upgrade as soon as it is available but also immediately follow the advice below:

    Update your firmware immediately, or as soon as updated software is available. Before doing the upgrade, take a backup of your current config in case you need to restore it later (system maintenance -> Config Backup). Do use the .ALL file to upgrade, otherwise you will wipe your router settings. Note : If your are an Irish user (or using an ISP who uses non-standard VLAN tags), please see the note further down.

    Check your DNS and DHCP settings on your router. If you have a router supporting multiple LAN subnets, check settings for each subnet. Your DNS settings should be either blank, set to the correct DNS server addresses from your ISP or DNS server addresses of a server which you have deliberately set (e.g. Google 8.8.8.8). A known rogue DNS server is 38.134.121.95 - if you see that, your router has been changed.

    In the case of DHCP, the DHCP server may be disabled, which will typically cause errors on your LAN as devices fail to be issued with IP addresses so the problem is more obvious.

    If your settings appear to have been compromised, restore a config backup or manually check and correct all settings. Change your admin password and check that no other admin users have been added. Follow all of the advice in our previous CSRF article here.

    If you have remote access enabled on your router, disable it if you don't need it, and use an access control list if possible. If you do not have updated firmware yet, disable remote access (admin) and SSL VPN. The ACL does not apply to SSL VPN connections (Port 443) so you should also temporarily disable SSL VPN until you have updated the firmware.

    Always use secured (SSL/TLS1.2) connections to your router, both LAN and WAN side. To do that, just prefix the address with [Only registered and activated users can see links. ] Disabling non-SSL/TLS connections:

    The 'enable validation code' option at the top (above) is recommended. It adds a 'captcha' style option to the web admin login page.

    Report to us anything you find which looks suspicious. If you have syslog enabled (you can save syslogs to a USB stick on the router), send those to us securely. To make reports, UK users should use this link.

    If you are in the UK/Ireland, ensure that you're a member of our mailing list so that you can receive update and security advisories like this otherwise we have no way to notify you of this and any future issues.

    The priority for us has been to identify the cause and issue strengthened firmware so this is an initial report/advisory. We continue to monitor and investigate this issue and will update as appropriate. At this stage, for obvious security reasons, we will not be providing any further details of the issue.

    Please share this advisory with other DrayTek users/SysAdmins.

    Our firmware download page for UK/Irish users is here. For other regions, check your local DrayTek office or our HQ. Firmware should start to be available from 18th May 2018 onwards (ETA). The very oldest models (>5 years) may not receive updates (TBA).

    Our wireless access points (VigorAP series), switches (VigorSwitch series) and Vigor 2950, 2955, 2960, 3900 and 3300 series routers are not affected and do not need updating (but you should still always run the latest firmware on those anyway).

    Why would someone want to change my DNS?

    Changing your DNS server address might seem like a strange and very minor setting for a hacker to change but it is likely to be 'phase 1' of a larger attack. A DNS server converts web addresses (like [Only registered and activated users can see links. ]) into an IP address (194.114.12.12 or 2001:db8::1) - the Internet router IP uses numeric addresses, not names.

    If someone can redirect you to a rogue DNS server, they can misdirect your browser to a fake site when you think you're going to your favourite web site. You login but now the criminals have your username and password (another reason people should use 2FA). The site will normally redirect you back to the genuine web site to avoid arousing suspicion. This could be a banking site, social media, other financial site or anything else. If your DNS has been changed, we recommend changing passwords of any sites you have accessed recently, particularly financial ones, as well as your router admin and wifi password(s).

    At the time of writing, the known rogue address (38.134.121.95) is not responding to DNS queries so it may not have gone active yet, or the owner/operator of that address has now taken the compromised server offline. If your router was compromised, it will still work as the hackers set a secondary (legitimate) address of 8.8.8.8 (Google) as a fallback so that unavailability of their fake server didn't cause you to go and check your settings but don't leave it like that.

    Non-Standard VLAN Tags

    Most ISPs in the UK use a WAN VLAN tag of 101. There is a known issue on the latest two firmware versions for some models (Vigor 2860 3.8.8, Vigor 2862 3.8.8.2, Vigor 2762, Vigor 2760) where the firmware upgrade changes the WAN VLAN tag to 101. This will cause an issue for any users where the WAN VLAN tag is not 101, for example in Ireland (VLAN 10 on Eircom connections). Do not upgrade remotely if your WAN VLAN tag is not set to 101. A new firmware will be relased shortly for these models. After upgrade the VLAN tag should be changed back from 101 to the VLAN tag required by your ISP. Before upgrade, check the [WAN1] > [General Setup] to note the current VLAN tag setting.

    Keep up to Date via our Mailing List

    It is always recommended that you keep your router and other hardware up to date with the latest firmware and read vendor mailing lists. We advise users of any critical or important issues like this one on the UK/Ireland mailing list and you are therefore encouraged to sign up here (For UK/Ireland users only - other regions, please check local resources).

    Updated Firmware Versions

    Available for UK/IE users now:

    Vigor 2830nv2, version 3.8.8.2
    Vigor 2850 Series , version 3.8.8.2
    Vigor 2760 Series, version 3.8.8.2
    Vigor 2762 Series, version 3.8.8.2
    Vigor 2832 Series, version 3.8.8.2
    Vigor 2860 Series, version 3.8.8
    Vigor 2862 Series, version 3.8.8.2
    Vigor 2920 Series, version 3.8.8.2
    Vigor 2925 Series, version 3.8.8.2
    Vigor 2926 Series, version 3.8.8.2
    Vigor 2952, version 3.8.8.2
    Vigor 3220, version 3.8.8.2
    Vigor 3200 Series version 3.8.8.2
    VigorBX 2000, version 3.8.8.2

    Coming soon:

    Vigor 2830sb, version 3.8.8.2
    Vigor 2830db, version 3.8.8.2

    Products Not Requiring Updates for this issue:
    (But keep them up to date anyway!)

    Vigor 2820 Series
    Vigor 2900 Series
    Vigor 2960
    Vigor 3300V
    Vigor 3900
    Vigor 130
    VigorAP Series (Wireless Access Points)
    VigorSwitch Series (Ethernet Switches)


    Firmware downloads are available from [Only registered and activated users can see links. ](For UK/IE Region only).
    [Only registered and activated users can see links. ]

     
  2. evilsatan's Avatar

    evilsatan said:

    Default Re: Draytek routers affected by Zeroday vuln

    Just found my first compromised router, been patching all week with no issues but this one had the 38.134.121.95 DNS set as primary (LAN1 only) which is their public WiFi. Remote management was already disabled so I went through the whole config and followed the advice below, didn't seem that anything other than DNS had been altered:
    [Only registered and activated users can see links. ]