Security Advisory: Vigor 3900 / 2960 / 300B Web Management Vulnerability (Feb 2020) CVE-2020-8515




Priority: Critical

Product Models: Vigor 3900, Vigor 2960, Vigor 300B

Action Required : Update your firmware immediately to version 1.5.1 or later

DrayTek have become aware of a possible exploit of the Vigor 2960 / 3900 / 300B related to the WebUI. On 6th Feb 2020 we released an updated firmware to address this issue.

Necessary Action: Users of affected models should upgrade to 1.5.1 firmware or later as soon as possible.

As an additional precaution, check that no additional remote access profiles (VPN dial in, teleworker or LAN to LAN) or admin users (for router admin) have been added or that any ACL (Access Control Lists) have been altered.  After upgrading, do check that the web interface now shows the new new firmware version. Always back up your config before doing an upgrade.

If you discover anything anomalous on your device, please contact UK support immediately (if you are in the UK/Ireland).

Pre-upgrade Mitigation: You should upgrade firmware as soon as possible however if it is impossible to do this immediately, disable remote access to your device or use an ACL for remote access, then upgrade as soon as possible.

Firmware downloads are available from here (For UK/IE Region only).

Update: It has been reported that PoC (proof-of-concepts) have been published and in-the-wild attempts are making use, possibly successfully, of these issues (by benign/friendly actors doing research but also nefarious groups or individuals). The advice remains the same: upgrade and check your device, as above.

Always Use Secure Protocols for Internet Activity

Regardless of this specific issue, Intercepting data can be made harder by always using secure protocols - HTTPS, TLS applied to email (see below) protocols etc.   Some protocols (FTP, Telnet, Syslog, IRC) should be avoided over the open internet - use equivalent secure protocols or VPNs where needed. 

Your mail server and mail software/client (Outlook etc.) should be using secure transport. If you check your settings, secure protocols use different TCP port. e.g.  POP3 should use port 995, not 110. SMTP should uses port 465, not 25 and IMAP should use port 993, not 143. (The actual port number doesn't actually mean it's secure; those are just the correct ports that would be used on a properly secured server. Check with your ISPfor the correct settings).

If you have remote access enabled on your router, disable it if you don't need it, and use an access control list (ACL) if possible. An ACL is a preset whitelist of permitted remote IP addresses who can remotely administer your router, blocking anyone else.  Alternatively, permit remote administration only through a secure VPN or using VigorACS central management.

Update Mailing List (UK/Ireland)

UK/Ireland  users  should  subscribe  to our mailing-list in order to receive  timely  notifications  of  firmware  or critical updates like this and as a general rule of best practice, always keep all of your products firmware up top date and check for updates.

Disclaimer : Please check this web page again for any new/updated information. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to assess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.

Please note that mail alerts on this issue will come from our domain "drayteknews.co.uk" not our web domain (draytek.co.uk).  Both of the domains are legitimate and belong to us (DrayTek) but in line with anti-phishing measures, you're quite right to check.