Security Advisory: Mirai Bot / TR-064 / Port 7547 SOAP Vulnerabilities


Security Advisory: TR-064 Vulnerability

In December 2016, a vulnerability was reported in some implementations of the TR-064 and TR-069 management protocol. These protocols are used by many ISPs to monitor CPE to maintain network quality/performance. it is claimed that an attack has affected nearly a million routers in Germany (link). An updated version of the Mirai bot (worm) is being used to exploit these routers. Currently, there does not appear to be any CVE reference for this attack/vulnerability. It is also referred to as a Port 7547 SOAP Remote Execution Attack.

Note that this vulnerability/exploit is not Mirai itself - the Mirai bot is merely the framework/agent which conducts the attacks. Its previous version concentrated on IP cameras/IoT devices. Note, at this stage, it is unclear why many sources refer to TR-069 as the vulnerability seems to only be in some implementations of TR-064 which is an earlier/different protocol but it may be that some vendors' implementations of TR-069 are affected.

DrayTek Products

No DrayTek products are affected by this vulnerability. We do not use the TR-064 protocol and our TR-069 implementation is not vulnerable to this attack. Regardless of this, it is always recommended that you keep your DrayTek router and other hardware up to date with the latest hardware and read vendor mailing lists (UK users can join here) as security improvements are regularly added and new exploits/vulnerabilities may surface.

Advice Regarding other Services / Products (non-DrayTek)

You should check equivalent statements/advisories from the providers of all of your other networking hardware vendors and then follow the advice of each of them regarding any necessary precautions or updates.

Disclaimer : Please check this web page again for any new/updated information. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to assess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.