DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Routers Affected by POODLE (CVE-2014-3566) Vulnerability.

  • souk
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
02 Feb 2015 14:41 #82551 by souk
Can we get the official ' Announcements' page updated to include the latest vulnerability that is effecting allot of us Draytek owners please.

Its been officially announced here on the official draytek website, so what better place to put that information than on this forum. :wink:


The Announcement:

DrayTek Vigor routers make use of the vulnerable SSL 3.0 in both server (HTTPS, SSL VPN) and client (TR-069, E-mail, LDAP, CVM) components; therefore, all affected applications will need to be updated to employ TLS. The initial firmware update will include TLS 1.0, with TLS 1.2 to follow in future release.

The official post mentioned above highlights the list of routers and the corresponding firmware versions that are expected to receive the TLS 1.0 update which should rectify the issue.

(Routers that are not in the list are considered to have reached end of life and will not be updated.)



Apparently the models that will receive the vulnerability fix are as followed:

Vigor2860 series | v3.7.8
Vigor2925 series | v3.7.8
Vigor2760 Delight series | v3.7.8
Vigor130 | v3.7.8
Vigor 2130 series | v1.5.4.2
Vigor2760 series | v1.2.1.2
Vigor2912 series | v3.7.5.4
Vigor2120 series | v3.7.5.3
Vigor2830 series | v3.6.8
Vigor2920 series | v3.6.8
Vigor2110 series | v3.6.8
Vigor3200 series | v3.6.8
Vigor2710 series | v3.6.8
Vigor2850 series | v3.6.8
VigorAP900 | v1.1.5
VigorAP810 | v1.1.2
VigorAP710 | v1.1.2
Vigor3900 - Vigor2960 - Vigor300B | v1.0.9
VigorACS SI | v1.1.6
Smart VPN client | v4.3.2


The official announcement was last modified on Wednesday, 10 December 2014 08:11; its obviously now Monday, 2 Feburary 2015, a whopping 35 business days have passed since that announcement (including the holidays).

Is their any chance of getting an update on when exactly this new firmware is going to be made available, to enable us to properly secure our devices?

Please Log in or Create an account to join the conversation.

More
03 Feb 2015 17:20 #82564 by babis3g
most of the devices already are been updated ... which model are you looking for?

Please Log in or Create an account to join the conversation.

  • souk
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
05 Feb 2015 09:08 #82581 by souk

babis3g wrote: most of the devices already are been updated ... which model are you looking for?



For the following models please:

Vigor2830 series | v3.6.8
Vigor2850 series | v3.6.8

v3.6.8 is not showing up on the official Draytek website for me, the latest version on there is only 3.6.6.1_2471201.

Please Log in or Create an account to join the conversation.

More
05 Feb 2015 16:39 #82592 by babis3g
for the 2830n single band is already there ... you can use the recommended UK modem code 232201 (for UK SEG) or the other 2 UK alternatives (2471201 - 211801)
http://www.draytek.com/index.php?option=com_jumi&view=application&fileid=15&Itemid=583&lang=en
I don't know when at UK download page will be available ... but if you will use the same modem codes as the UK ones will not be line issues
I am already using it with my 2830n SINGLE Band (3.6.8 )

The 2830n for Dual Band always (from my experience) it follows shortly later

The 2850 it should be out by now (from my info) but there is an issue with dhcp-ipvt & is been delay ... if you are in hurry talk to the support because they have already beta 3.6.8 RC8 with the security fix (but just testing for iptv) ... if you email them for the beta it may worth asking when the firmware will be available & at UK download pages

Please Log in or Create an account to join the conversation.

More
10 Feb 2015 22:36 #82653 by altomkins
Anyone know when the updated firmware for dual band 2830 and others is coming?

Seems like I've been waiting ages.

Would it be OK for me to use the single band firware on a dual band?

Please Log in or Create an account to join the conversation.

  • souk
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
11 Feb 2015 09:26 #82655 by souk
I appreciate your feedback Babis3g, but I have to say that i find it extremely annoying that Draytek would have been aware of this (or should have been) since back in October 14, 2014 when this vulnerability was made public by Bodo Möller, Thai Duong and Krzysztof Kotowicz online. Its now 11th of Feburary 2015 pretty much 4 months later and they still havent buttoned this up.

If Draytek's devs are having problems in resolving an issue in relatation to the dhcp-ipv6 side of things in the expected 3.6.8 and other firmware updates which entail is preventing (us) its customers from having the expected level of security that we should, then perhaps it might be an idea for Draytek to out-source the firmware update to an organisation who are better equiped to resolve these issues rather than prolonging them, wouldnt you agree?

Also, why has this still not been added to the announcement page on this forum?

SSLv3 Poodle Vulnerability (CVE­-2014­-3566)
Description and High-Level Mechanics Video:
https://www.youtube.com/watch?v=krAG2YtutnQ

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami