DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Routers Affected by POODLE (CVE-2014-3566) Vulnerability.

  • souk
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
02 Feb 2015 14:41 #1 by souk
Routers Affected by POODLE (CVE-2014-3566) Vulnerability. was created by souk
Can we get the official ' Announcements' page updated to include the latest vulnerability that is effecting allot of us Draytek owners please.

Its been officially announced here on the official draytek website, so what better place to put that information than on this forum. :wink:


The Announcement:

DrayTek Vigor routers make use of the vulnerable SSL 3.0 in both server (HTTPS, SSL VPN) and client (TR-069, E-mail, LDAP, CVM) components; therefore, all affected applications will need to be updated to employ TLS. The initial firmware update will include TLS 1.0, with TLS 1.2 to follow in future release.

The official post mentioned above highlights the list of routers and the corresponding firmware versions that are expected to receive the TLS 1.0 update which should rectify the issue.

(Routers that are not in the list are considered to have reached end of life and will not be updated.)



Apparently the models that will receive the vulnerability fix are as followed:

Vigor2860 series | v3.7.8
Vigor2925 series | v3.7.8
Vigor2760 Delight series | v3.7.8
Vigor130 | v3.7.8
Vigor 2130 series | v1.5.4.2
Vigor2760 series | v1.2.1.2
Vigor2912 series | v3.7.5.4
Vigor2120 series | v3.7.5.3
Vigor2830 series | v3.6.8
Vigor2920 series | v3.6.8
Vigor2110 series | v3.6.8
Vigor3200 series | v3.6.8
Vigor2710 series | v3.6.8
Vigor2850 series | v3.6.8
VigorAP900 | v1.1.5
VigorAP810 | v1.1.2
VigorAP710 | v1.1.2
Vigor3900 - Vigor2960 - Vigor300B | v1.0.9
VigorACS SI | v1.1.6
Smart VPN client | v4.3.2


The official announcement was last modified on Wednesday, 10 December 2014 08:11; its obviously now Monday, 2 Feburary 2015, a whopping 35 business days have passed since that announcement (including the holidays).

Is their any chance of getting an update on when exactly this new firmware is going to be made available, to enable us to properly secure our devices?

Please Log in or Create an account to join the conversation.

  • babis3g
  • User
  • User
More
03 Feb 2015 17:20 #2 by babis3g
Replied by babis3g on topic Re: Routers Affected by POODLE (CVE-2014-3566) Vulnerability
most of the devices already are been updated ... which model are you looking for?

Please Log in or Create an account to join the conversation.

  • souk
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
05 Feb 2015 09:08 #3 by souk
Replied by souk on topic Re: Routers Affected by POODLE (CVE-2014-3566) Vulnerability

babis3g wrote: most of the devices already are been updated ... which model are you looking for?



For the following models please:

Vigor2830 series | v3.6.8
Vigor2850 series | v3.6.8

v3.6.8 is not showing up on the official Draytek website for me, the latest version on there is only 3.6.6.1_2471201.

Please Log in or Create an account to join the conversation.

  • babis3g
  • User
  • User
More
05 Feb 2015 16:39 #4 by babis3g
Replied by babis3g on topic Re: Routers Affected by POODLE (CVE-2014-3566) Vulnerability
for the 2830n single band is already there ... you can use the recommended UK modem code 232201 (for UK SEG) or the other 2 UK alternatives (2471201 - 211801)
http://www.draytek.com/index.php?option=com_jumi&view=application&fileid=15&Itemid=583&lang=en
I don't know when at UK download page will be available ... but if you will use the same modem codes as the UK ones will not be line issues
I am already using it with my 2830n SINGLE Band (3.6.8 )

The 2830n for Dual Band always (from my experience) it follows shortly later

The 2850 it should be out by now (from my info) but there is an issue with dhcp-ipvt & is been delay ... if you are in hurry talk to the support because they have already beta 3.6.8 RC8 with the security fix (but just testing for iptv) ... if you email them for the beta it may worth asking when the firmware will be available & at UK download pages

Please Log in or Create an account to join the conversation.

  • altomkins
  • User
  • User
More
10 Feb 2015 22:36 #5 by altomkins
Replied by altomkins on topic Re: Routers Affected by POODLE (CVE-2014-3566) Vulnerability
Anyone know when the updated firmware for dual band 2830 and others is coming?

Seems like I've been waiting ages.

Would it be OK for me to use the single band firware on a dual band?

Please Log in or Create an account to join the conversation.

  • souk
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
11 Feb 2015 09:26 #6 by souk
Replied by souk on topic Re: Routers Affected by POODLE (CVE-2014-3566) Vulnerability
I appreciate your feedback Babis3g, but I have to say that i find it extremely annoying that Draytek would have been aware of this (or should have been) since back in October 14, 2014 when this vulnerability was made public by Bodo Möller, Thai Duong and Krzysztof Kotowicz online. Its now 11th of Feburary 2015 pretty much 4 months later and they still havent buttoned this up.

If Draytek's devs are having problems in resolving an issue in relatation to the dhcp-ipv6 side of things in the expected 3.6.8 and other firmware updates which entail is preventing (us) its customers from having the expected level of security that we should, then perhaps it might be an idea for Draytek to out-source the firmware update to an organisation who are better equiped to resolve these issues rather than prolonging them, wouldnt you agree?

Also, why has this still not been added to the announcement page on this forum?

SSLv3 Poodle Vulnerability (CVE­-2014­-3566)
Description and High-Level Mechanics Video:
https://www.youtube.com/watch?v=krAG2YtutnQ

Please Log in or Create an account to join the conversation.