Hi All,

Im using a bunch of 3300V vigors and in order to keep processing credit cards our bank says we must pass PCI compliance - no problem I thought

When the security check does a port scan of the WAN IPs for the Draytek it fails the checks... So If I cannot fix this is next few days I need to bjump out the window because we wont be able to process credit cards. :shock: :shock:

The routers are all 3300V running latest 2.9.5.0 and the errors are as follows:

1. Protocol: UDP Port: 1701 Detail: The remote host is running a version of l2tpd which is older or equal to 0.67. This version is vulnerable to a buffer overflow which may allow an attacker to gain a root shell on this host. In addition, this program does not initialize its random number generator. Therefore, an attacker may predict some key values and hijack L2TP sessions established to this host. Solution: Upgrade to l2tpd 0.68 or later. Risk Factor: High CVE : CVE-2002-0872, CVE-2002-0873 BID : 5451 Other references : OSVDB:5061, OSVDB:5062 [More]

2. The remote host is running a version of l2tpd which is older or equal to 0.68. This version is vulnerable to a buffer overflow which might allow an attacker to execute arbitrary commands on the remote host with super-user privileges. Solution: Upgrade to l2tpd 0.69 or later. Risk Factor: High CVE : CVE-2004-0649 BID : 10466 Other references : OSVDB:6726


So Im guessing this is referring to the l2tpd version as part of the router:?:

I updated the firmware and the 2003 server (raduis) behind the Vigor is patched up to date

what else can I do?

:idea:

RobAUK wrote:
what else can I do?

:idea:

Hi All,

Just to let you know I did log this with Draytek and they confirmed this bug is there in their firmware but they cannot give a time frame to fix this.

The ooly option is to disable L2TP and if you need it use a different vendor I guess, lucky for me I dont actually need it.

Still pretty shocking support from Draytek - are you listening?