Firmware on the router (e.g. Vigor2820 V3.3.3 AnnexA 232201.zip) Once downloaded extract the contents to a location on your computer. There should be two files within the archive:.all – upgrades without losing current configuration details.rst – upgrades resetting the routers configuration details (recommended).
Network hardware vendor DrayTek has announced a security hole in its Vigor range of routers.
- The.ALL is the firmware only and should maintain the config, and.RST includes the firmware and a clean config. Hold the Factory Reset button in whilst turning the router on, the ACT, USB and CMS lights will flash. Load up the Firmware Upgrade Utility, enter 192.168.1.1 as the router IP, and select either the.RST or.ALL file.
- For firmware operations, most DrayTek Vigor 2xxx routers should be supported (and some 3xxx also). The master password generator seems to work for all the models that have been tested for firmware operations.
About 20 different models are affected, most of which seem to have firmware patches available already, so if you have a DrayTek Vigor, please go and check right away if you’re affected.
DrayTek hasn’t given precise details of how the attack works, which is probably a good thing, but it seems to involve what’s known as Cross Site Request Forgery (CSRF).
That’s where a crook can trick your browser into sending commands to websites you’re still logged in to, behind your back. In this case, the website in question is the web interface of your router.
We have become aware of security reports with DrayTek routers related to the security of web administration when managing DrayTek routers. In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on your router.
It seems that cybercriminals have been tricking some DrayTek Vigor routers into altering DNS settings via the router configuration interface, switching your DNS server from the one you usually use to an imposter server operated by the crooks.
We don’t have an exhaustive list of rogue DNS servers associated with this security hole. However, DrayTek reports that the IP number 38.134.121.95 can be considered an IOC, or indicator of compromise, as it seems to be owned by crooks. You can find out the IP number of your usual DNS server (or servers) by asking your ISP, or you can chose a trusted public DNS server like Google’s well-known service at 8.8.8.8.
This sort of cybercriminal trick is called DNS hijacking, and it can be tricky to spot – typically, the crooks run a DNS server that mostly tells the truth, so that your web browsing works just fine most of the time.
Imagine, for instance, that you regularly use a search engine called findme.example, located at the IP number 192.0.2.42.
If the crooks control your DNS server, they might tell you the truth about findme.example 99 times out of every 100 times you visit, sending you unexceptionably to the legitimate server at 192.0.2.42, just as you’d expect.
But 1% of the time, they could direct you to an imposter server at, say, 198.51.100.6, and you might very well not notice the anomaly.
Worse still, if you do notice and decide to investigate, everything might be back to normal, leaving you to shrug and carry on unsuspiciously.
What to do?
DrayTek has put up a decent advice page for its UK users, handily headlining it with the text:
TL;DR – Check the DNS settings on your DrayTek router and install new firmware. Please read all of this advisory.
Take DrayTek’s advice: the article is well worth reading even if you’ve already updated your firmware (indeed, it’s useful even if you don’t have a DrayTek router) because it’s full of security tips that are worth doing anyway.
In particular, it seems that this CSRF security hole only works if you previously logged in to the DrayTek administration interface, and then never logged out.
Make a habit of logging out explicitly from your router before closing the admin screen, so your browser won’t be able to reconnect automatically, either by accident or design.
In fact, even though it’s a bit less convenient, we recommend logging out from any website or online service when you aren’t using it – that includes Facebook, Twitter, your webmail, and so on.
Try to be logged in less, not more, so you’re less likely to catch yourself out, or to be caught out by crooks clicking buttons on your behalf.
KB ID 0000568
Problem
You have a Draytek router (In my case a 2800 ADSL 2/2+), and you want to update the firmware to the latest version.
Solution
1. Make sure you have EXACTLY the correct model number, this one’s a Draytek Vigor2800.
Draytek Firmware All Or Rst Driver
2. Go here and download the latest firmware for your model.
3. The firmware will be in a ZIP file download and extract it to your machine.
4. Log into the web console of your Draytek > Navigate to > System Maintenance > Firmware Upgrade. (Note: Newer models will let you upload the firmware from here, ours sadly does not).
5. Download the run the Draytek Firmware Update Utility > Locate the IP address of your router (If you have multiple NICS select the one you will use) > Navigate to the firmware you extracted above > Enter the routers password > Send > Have a Coffee > OK.
Draytek Firmware All Or Rst -
Note: Select the firmware that has an .all extension, WARNING selecting the firmware that has an .rst extension will upgrade the router BUT it also removes all the settings.
Draytek Firmware All Or Rst
6. If you now check your firmware version, it should be correct.
Related Articles, References, Credits, or External Links