I think we need more details than "just upgrade, don't ask questions". Is it related to a web UI issue (and if so, what), a specific CVE, vulnerability disclosure or something else? How do we know how to manage other defences or what type of traffic we're looking for?

Also, I am a bit annoyed that that this critical issue has only just been emailed around to users now, given that the release was made on December 20th. Has it just been ramped up to critical because you're now seeing exploitation in the wild?

We need some clear answers here please.

Thanks Guys. Hardware acceleration is off and the system seems stable. At least I can get remote access now (In and out). Will have another play with the options to see what works best but certainly I have the functionality back. Appreciated!

Wholeheartedly agree with @dr1 - I received an email from Draytek yesterday AM urging I do this "Critical Upgrade" urgently, whereupon it broke my 2850n router when I tried it: see http://www.forum.draytek.co.uk/viewtopic.php?f=14&t=21426

Luckily I have managed to undo the damage the upgrade attempt caused (I hope...), and I trust a revised upgrade will be issued shortly that doesn't kill my router. :shock:

I wrote: The latest Vigor 2860n (3.8.4.2) firmware appears to have INTRODUCED a Security bug (though it may have fixed others).

This is NOT fixed by 3.8.4.3.

dr1 wrote: I think we need more details than "just upgrade, don't ask questions".

No thanks.... I've upgraded my routers but many (most?) people won't have (yet or ever) so it would be totally counter productive and put those users at risk if the issue is something which could be exploited. i.e. " we found a flaw in processing of HTTP packets whereby if you send a packet like this, your trousers fall down..." - that's just alerting every hacker. Just because you're on the ball, doesn't mean you should throw less informed or complacent users under the bus who don't upgrade....

I am a bit annoyed that that this critical issue has only just been emailed around to users now, given that the release was made on December 20th.

Why are you annoyed? (And I'm not sure the release was on 20th Dec for any model actually)

Has it just been ramped up to critical because you're now seeing exploitation in the wild?

No, it has not - and I have asked specifically. For the end user mailing list, they waited until they had firmware for all models because people don't register by specific model, plus allowing for some time to ensure there weren't any major issues before a million people upgraded on one day.

I think this is proactive of DrayTek; there's no known public exploit, they're not being blackmailed by some hackers (as far as I know) but they still issues critical firmware to improve something. Other vendors might just fix it quietly and hope no-one ever discovers. They are on YOUR side - no need to make it into some sinister conspiracy theory.

hornbyp wrote:
The latest Vigor 2860n (3.8.4.2) firmware appears to have INTRODUCED a Security bug (though it may have fixed others). This issue was actually spotted by my ISP! (Virgin Media).

Well, I don't know what the bug is (and probably best not to say here) but is it actually a security risk that can't be mitigated? I'm surprised they'd tell you to downgrade otherwise.