This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again, but selecting Disallow Cookies will mean you are unable to log into the forum and functionality will be resticted when viewing the forum as a guest. Clearing your Browser Cookies will allow you to reset your cookies choice for this forum

By clicking this Link you help to Support this Forum when you buy any items from AMAZON
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Security Advisory: CSRF & DNS Changed Web Interface Attacks
#1
DrayTeK Security Advisory: CSRF & DNS Attacks

TL;DR - Check the DNS settings on your DrayTek router and install new firmware.

 

In May 2018, we became aware of new attacks against web-enabled devices, which includes DrayTek routers.   The recent attacks have attempted to change DNS settings of routers.  We are in the process of releasing updated firmware which you should upgrade to as soon as it is available but also immediately follow the advice below:

 

  1. Update your firmware immediately, or as soon as updated software is available. Before doing the upgrade, take a backup of your current config in case you need to restore it later (system maintenance -> Config backup).   Do use the .ALL file to upgrade, otherwise you will wipe your router settings.


  2. Check your DNS and DHCP settings on your router.   If you have a router supporting multiple LAN subnets, check settings for each subnet.  Your DNS settings should be either blank, set to the correct DNS server addresses from your ISP or DNS server addresses of a server which you have deliberately set (e.g. Google 8.8.8.8). A known rogue DNS server is 38.134.121.95 - if you see that, your router has been changed.  

    In the case of DHCP, the DHCP server may be disabled, which will typically cause errors on your LAN as devices fail to be issued with IP addresses so the problem is more obvious. 

    [Image: wui_dhcp5.jpg]



  3. If your settings appear to have been compromised, restore a config backup or manually check and correct all settings. Change your admin password and check that no other admin users have been added. Follow all of the advice in our previous CSRF article here.


  4. If you have remote access enabled on your router, disable it if you don't need it, and use an access control list if possible.   If you do not have updated firmware yet, disable remote access.  The ACL does not apply to SSL VPN connections (Port 443) so you should also temporarily disable SSL VPN until you have updated the firmware.

    [Image: wui_disable_sslvpn1.jpg]


  5. Always use secured (SSL/TLS1.2) connections to your router, both LAN and WAN side. To do that, just prefix the address with https://.   Disabling non-SSL/TLS connections:

    [Image: wui_management3.jpg]

    The 'enable validation code' option at the top (above) is recommended. It adds a 'captcha' style option to the web admin login page.


  6. Report to us anything you find which looks suspicious. If you have syslog enabled (you can save syslogs to a USB stick on the router), send those to us securely. To make reports, UK users should use this link.


  7. If you are in the UK/Ireland, ensure that you're a member of our mailing list so that you can receive update and security advisories like this otherwise we have no way to notify you of this and any future issues. 
 

The priority for us has been to identify the cause and issue strengthened firmware so this is an initial report/advisory. We continue to monitor and investigate this issue and will update as appropriate.  At this stage, for obvious security reasons,  we will not be providing any further details of the issue.

 

Please share this advisory with other DrayTek users/SysAdmins.


Our firmware download page for UK/Irish users is here. For other regions, check your local DrayTek office or our HQ.  Firmware should start to be available from 18th May 2018 onwards (ETA).

 



UK Sentinel
 
UK Sentinel


DrayTeK 130 Modem connected to Netgear XR500, ASUS RT-AC86U then connected to Netgear XR500 

Reply



Forum Jump:


Users browsing this thread:
1 Guest(s)

This Forum was originally created to provide a means to allow users of ASUS (SOHO) Routers - both Wireless and xDSL (modem) based to freely communicate within a Community type forum where members can work together towards sharing experience, knowledge and ideas, I have recently also been asked to include Netgear and AVM wifi / modem based routers for discussion. All I ask is that we are all fair and reasonable, we try to add value where we can and not use this forum for other non community agendas and lastly, please feel free to dop me a message offline if you feel in anyways I can improve upon this site etc.
By clicking this Link you help to Support this Forum when you buy any items from AMAZON

Forum software by © MyBB Theme © iAndrew 2016