Security Advisory: Vigor 3910 / 2962 Web Management Vulnerability

Priority: Critical

Product Models: Vigor 3910, Vigor 2962

Action Required: Update your firmware immediately to version 3.9.6.3 or later

DrayTek have become aware of a possible exploit of the Vigor 3910 / 2962 related to the WebUI if remote management is enabled without an ACL in place. On 8th July 2021 we released an updated firmware to address this issue.

Necessary Action: Users of affected models should upgrade to 3.9.6.3 firmware or later as soon as possible.

The exploit could allow an attacker to discover admin and VPN credentials. As an additional precaution, we recommend that router admin passwords and any VPN passwords & PSKs are updated. We’re not aware of any published PoC (proof-of-concepts) relating to this vulnerability but are recommending the post upgrade steps to update credentials as a prudent action. After upgrading, do check that the web interface now shows the new firmware version. Always back up your config before doing an upgrade.

If you discover anything anomalous on your device, please contact UK support immediately (if you are in the UK/Ireland).

Pre-upgrade Mitigation: You should upgrade firmware as soon as possible however if it is impossible to do this immediately, disable remote access to your device or use an ACL for remote access, then upgrade as soon as possible.

Firmware downloads are available from here (For UK/IE Region only).

Best practices

Regardless of this specific issue, targeting systems can be made harder by following some good security practices such as:

• Always disable unused services and protocols
• Use 2FA for user authentication
• Use IPSec X.509 instead of PSK for authentication
• Employ Access Control Lists wherever possible
• Record Syslog and setup VPN/Mail Alerts and review logs periodically
• Change the default self-signed security certificates
• Enable Brute force protection in the Management Setup Menu
• If you have remote access enabled on your router, disable it if you don't need it, and use an access control list (ACL) if possible. An ACL is a preset whitelist of permitted remote IP addresses who can remotely administer your router, blocking anyone else.  Alternatively, permit remote administration only through a secure VPN or using VigorACS central management.

Update Mailing List (UK/Ireland)

UK/Ireland  users  should  subscribe  to our mailing-list in order to receive  timely  notifications  of  firmware  or critical updates like this and as a general rule of best practice, always keep all of your products firmware up to date and check for updates.

Disclaimer : Please check this web page again for any new/updated information. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to assess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.

Please note that mail alerts on this issue will come from our domain "drayteknews.co.uk" not our web domain (draytek.co.uk).  Both of the domains are legitimate and belong to us (DrayTek) but in line with anti-phishing measures, you're quite right to check.