DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Routers Affected by POODLE (CVE-2014-3566) Vulnerability.

  • souk
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
11 Feb 2015 13:46 #82659 by souk

babis3g wrote: most of the devices already are been updated ... which model are you looking for?



Hi babis3g,

I know you've suggested that "most of the devices have been updated", but of the list below can you please specifically identify which devices from the list have officially been updated. That would make it clear for anyone who's reading this post, or for anyone who owns one of the listed devices who is equally concerned about security flaws.

I can see that no official updates have been posted on the same article relevant to the listed devices to clarify whether the issue on the devices below have since been resolved, which is even more reason to have a relevant topic for this in the announcement page .


Official List
Vigor2860 series | v3.7.8
Vigor2925 series | v3.7.8
Vigor2760 Delight series | v3.7.8
Vigor130 | v3.7.8
Vigor 2130 series | v1.5.4.2
Vigor2760 series | v1.2.1.2
Vigor2912 series | v3.7.5.4
Vigor2120 series | v3.7.5.3
Vigor2830 series | v3.6.8
Vigor2920 series | v3.6.8
Vigor2110 series | v3.6.8
Vigor3200 series | v3.6.8
Vigor2710 series | v3.6.8
Vigor2850 series | v3.6.8
VigorAP900 | v1.1.5
VigorAP810 | v1.1.2
VigorAP710 | v1.1.2
Vigor3900 - Vigor2960 - Vigor300B | v1.0.9
VigorACS SI | v1.1.6
Smart VPN client | v4.3.2

Thank you.

Please Log in or Create an account to join the conversation.

More
12 Feb 2015 20:13 #82677 by babis3g
Hi, welcome :)
All the model in this list below
http://www.draytek.com/index.php?option=com_k2&view=item&id=5533&Itemid=293&lang=en
(some have even and a later one firmware with other features fixed)

APART
2110
2710
2830 DB
2850
Vigor ACS SI

21 devices are updated & still other 5 to follow
Can double check here
http://www.draytek.com/index.php?option=com_jumi&view=application&fileid=15&Itemid=583&lang=en

Please Log in or Create an account to join the conversation.

More
12 Feb 2015 20:30 #82678 by babis3g

SOUK wrote:
Official List
Vigor2860 series | v3.7.8 -> v3.7.8
Vigor2925 series | v3.7.8 -> 3.7.8.1
Vigor2760 Delight series | v3.7.8 -> 3.7.8
Vigor130 | v3.7.8 -> 3.7.8
Vigor 2130 series | v1.5.4.2 -> 1.5.4.2
Vigor2760 series | v1.2.1.2 -> v1.2.1.2
Vigor2912 series | v3.7.5.4 -> 3.7.5.5
Vigor2120 series | v3.7.5.3 -> 3.7.5.3
Vigor2830 series | v3.6.8 -> 3.6.8
Vigor2920 series | v3.6.8 -> 3.6.8
Vigor2110 series | v3.6.8
Vigor3200 series | v3.6.8 -> 3.6.8
Vigor2710 series | v3.6.8
Vigor2850 series | v3.6.8
VigorAP900 | v1.1.5 -> 1.1.5.1
VigorAP810 | v1.1.2 -> 1.1.2
VigorAP710 | v1.1.2 -> 1.1.2
Vigor3900 - Vigor2960 - Vigor300B | v1.0.9 -> 1.0.9.1 -> 1.0.9.1 -> 1.0.9.1
VigorACS SI | v1.1.6
Smart VPN client | v4.3.2 -> 4.3.2.1

Please Log in or Create an account to join the conversation.

More
16 Feb 2015 21:55 #82701 by altomkins
When will the version for Vigor2830 dual band be coming?

Seems like its taking a long time.

Please Log in or Create an account to join the conversation.

More
07 Mar 2015 18:46 #82878 by admin

SOUK wrote: i find it extremely annoying that Draytek would have been aware of this (or should have been) since back in October 14, 2014 when this vulnerability was made public



DrayTek posted their advisory on 19th October, so I'm not sure what your point is.

Were you expecting them to write new firmware, test it and publish it for a dozen different routers the same day?

SOUK wrote: why has this still not been added to the announcement page on this forum?



Because I didn't add it... If you want formal information, ask DrayTek - this is a user forum and we (the mods) don't offer any SLA :-)



Forum Administrator

Please Log in or Create an account to join the conversation.

  • souk
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
26 Aug 2015 17:25 #84217 by souk

admin wrote:

SOUK wrote: i find it extremely annoying that Draytek would have been aware of this (or should have been) since back in October 14, 2014 when this vulnerability was made public



DrayTek posted their advisory on 19th October, so I'm not sure what your point is.



DrayTek posted their advisory huh..?


Well my product is registered with them and I never received any email notification, heads up or warnings from them or their resellers about any security flaws or announcements. It's almost like them along with many other companies just expect people to randomly stumble on this information, which is ridiculous really.

I guess if they really wanted to be transparent and as a sign of good faith they could have simply created a pop-up on their main draytek.com website, emailed registered owners and made a few social media posts to let existing customers and potential new customers know of the recent flaw and pending fix. Giving them clear incite and awareness, enabling them to make a clear choice as to whether they should continue to use or buy security flawed products.

admin wrote: Were you expecting them to write new firmware, test it and publish it for a dozen different routers the same day?



At which point did I or anyone expect them to resolve the issue in a matter of days, that would be a ridiculous expectation. The point was that Draytek left it 'MONTHS' with no fix, leaving many homes and business's that relied on that method of security for day to day operations at risk. Did they just expect expected us to unplug all affected Draytek equipment from customers sites until they can work out how to fix their flaws for months on end, or did they expect us to leave our customers vulnerable?

I'm assuming that your someone that actually uses Draytek equipment and knows or understands the types of scenarios or places that one could expect to find this type of equipment. So it boggles the brain that you wouldn't really see any urgency for security flaws to be quickly resolved. If you think its okay for a company to sell a product with a specific set of features, boasting levels of security, telling you its secure when its not, I guess more fool you.


admin wrote:

SOUK wrote: why has this still not been added to the announcement page on this forum?



Because I didn't add it... If you want formal information, ask DrayTek - this is a user forum and we (the mods) don't offer any SLA :-)



I would have thought it would have been the 'decent' thing to do, especially as a Draytek community forum. Do you think Draytek forum members don't want to know if their products have security flaws?

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami