Critical Firmware Updates - All models - December 2016


Security Advisory: General DrayTek Product Security

We have issued new firmware for most current and recent DrayTek products. Please read the whole of this document as it's been written to address most common questions.

The firmware updates contain improvements in some of the product operating mechanisms which we have determined important to increase product security. Specific details of the improvements are not being given currentlly.

As the improvements relate to general router functions rather than a specific feature, we cannot say that you only need to upgrade if you make use of one particular feature (e.g. VPN, TR-69, wireless etc.) or a particular topology (public facing, non-NAT, VLANs etc). If further information is available, it will be added to this page but at this stage the advice and priority is to upgrade your units or any that you manage. Also, to advise your customers of this.

Whilst we are not aware of any in-the-wild exploits which have taken advantage of the previous firmware, we consider them to be important to improve operation and security and so this firmware is therefore designated as 'critical' (DrayTek Level 2). Critical firmware updates should be deployed as soon as possible. We understand that this can be inconvenient and have logisitcal complexities so can take time in some circumstances; the natural time it takes to roll out upgrades to your router estate should not provide material increased risk, but you should still upgrade as soon as possible.

The critical firmware update is based on the immediately released previous firmware so you should not see any functional difference in operation.

More Specific Detail of the Improvement

The above information should be sufficient for you to take the decision to upgrade your router(s). We appreciate that some users might wish to make their own assessment on the importance and priority and wish to have more in-depth detail to help with that decision however, as the improvements are not related to a known public/in-the-wild issue and we're not aware of an in-the-wild exploit, we want to try to keep it that way.

It would be against the interests of all users to provide detailed information - the information would potentally only be useful for hackers to try and find a way to make use of older firmware or areas to focus on. The best way to protect users at this stage is, therefore, by not sharing the detail. If you did have further details, it would most likely lead to the same action on your behalf - to upgrade your routers. You will hopefully appreciate that we are best equipped to give that advice - we appreciate that might be frustrating but hope you will understand the reason.

If further information is available, it will be added to this page but at this stage the advice and priority is to upgrade your units or any that you manage. Also, if you are a reseller, to advise your customers of this.

How to Upgrade your product's firmware

These instructions and advisory relate to UK/Ireland users only. If you are in another region, you should obtain locally from your official distributor to match your locale and hardware.

Check the exact model you have and then download your new firmware from this web page. The firmware file for a series is normally suitable for all models within that series (e.g. "Vigor 2830 firmware" is for Vigor 2830, 2830n etc.) but watch out for specific variants such as dual band or PBX models where separate firmware exists.

Once you have the appropriate firmware file for your product, upgrade firmware from the 'system maintenance' menu in the web interface on your product. You should back up the current config before any upgrade (from the same menu). Remember that the .ALL file will upgrade firmware but the .RST file will upgrade firmware and wipe out all settings back to factory defaults. Always take a config. backup before upgrading. If you have questions about how to upgrade your products, please contact our support department by clicking here (UK/Ireland only).

Always keep firmware up to date

We would also take this opportunity to remind users that they should have a regular program of checking and updating product firmware even when there isn't a specific announcement like this one. This applies to all IT products, not just routers. This ensures that you have the latest features, improvements but also security improvements to help product in a continuously evolving threat landscape. Also, it's not recommended to go from a very old firmware to the latest one as there may be a lot of new features and operational changes - it's better to make small increments. You can join the UK/Ireland owners' mailing list to receive future advisories.

Larger Router Estates

Users of larger estates of routers will have their own different management plans to keep products up to date but if you are a user of DrayTek's ACS-SI management platform, you can use that to upgrade your routers en-masse. We recommend smaller test batches first (and always backup first) especially if you are jumping across several older firmware versions. When considering the order of which to upgrade, as mentioned earlier there is no specific feature or topology related to the new firmware so there's no logical order that we can recommend.

General Security Advice

Do also download and read the 2017 edition of our Router Security Guide. This is essential reading for any router owner (and brand).

Disclaimer : Please check this web page again for any new/updated information. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to assess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.