Weekly Update 4 May 2022
Security Advisory
OpenSSL vulnerability (CVE-2022-0778)
Released Date: 2022-04-27
A Denial-Of-Service Vulnerability in OpenSSL (CVE-2022-0778) has been found recently. The BN_mod_sqrt() function in OpenSSL, which is used for parsing certificates contains a bug that can cause it to go into an endless loop. This bug affects DrayTek products causing the HTTPS server for management to stop working resulting in a reboot when parsing or importing a maliciously crafted certificate. OpenSSL has released a security update to address the vulnerability. DrayTek is releasing new firmware with security updates for the OpenSSL vulnerability.
More details at: https://www.draytek.com/about/security-advisory/openssl-vulnerability-(cve-2022-0778)/
Updated firmware versions are listed in the Latest Firmware section below.
More routers will be added to the list as new firmware is released in the coming weeks.
Latest Video
Configuring the DrayTek Vigor167 for Bridge Mode
In this video we briefly show how to configure the Vigor167 for bridge mode on firmware version 5.1. This is based on the application note available at: https://faq.draytek.com.au/2022/04/20/configuring-the-draytek-vigor167-for-bridge-mode/Click here to watch the video.
Latest Application Note
VPN
Ways to fix the VPN No PPP Control Protocols Configured Error
This application note covers two methods to resolve an issue when you see the error "no PPP link control protocol configured" during the VPN dial-up. This is usually caused by a PPP configuration error in the DrayTek Smart VPN app caused by a reconfiguration or damaged installation of the Wan Mini port (IP) device in Windows.
Click here to read the application note.
Latest Software
New Features
· Add a new field to display the client's Download/Upload Usage information on mesh station list
Improvements
· Users can access an offline profile on the Network page.
· Fixed: Displaying clients' list on the Client page (when the Vigor device was set as AP mode).
Click here to download the app.
Smart VPN Client (macOS) V1.5.2
Includes bug fixes
Click here to download the app.
Latest Firmware
Improvements
· Support 802.11ax and 160MHz on APM WLAN Profile.
· Fixed: Improve Web GUI Security.
· Fixed: Improved the OpenSSL security (CVE-2022-0778).
· Fixed: A potential looping issue when rebooting the device.
· Fixed: Getting IP address with OpenVPN remote dial-in profile.
· Fixed: Establishing a BGP connection between Vigor router and Juniper.
· Fixed: ARP frame size (so that it will be larger than the minimum Ethernet frame size)
Click here to download the firmware.
Improvements
· Improve Web GUI Security.
· Disable TR069 from WAN by default.
· Improve the OpenSSL security (CVE-2022-0778).
· Set the OpenVPN encryption version to TLS 1.2 by default.
· Fixed: An issue of Let’s Encrypt certificate renew failure if enabling Access Control.
· Fixed: An issue of IKEv2 EAP VPN(H2L) failure if cut wrongly the subject alternative name of the local certification.
Click here to download the firmware.
Improvements
· Improve Web GUI Security.
· Disable TR069 from WAN by default.
· Improve the OpenSSL security (CVE-2022-0778).
· Set the OpenVPN encryption version to TLS 1.2 by default.
· Fixed: An issue of Let’s Encrypt certificate renew failure if enabling Access Control.
· Fixed: An issue of IKEv2 EAP VPN(H2L) failure if cut wrongly the subject alternative name of the local certification.
Click here to download the firmware.
Firmware is available for the following routers with the following security improvements:
· Improve Web GUI Security.
· Improve the OpenSSL security (CVE-2022-0778)
Click here to download the firmware.
Click here to download the firmware.
Click here to download the firmware.
Click here to download the firmware.
Click here to download the firmware.
Click here to download the firmware.
Click here to download the firmware.
Click here to download the firmware.
Click here to download the firmware.
To subscribe to our regular news updates, click on “Subscribe” on this page or login into your i-helpdesk account and enable the “Subscribe” option.
Related Articles
Weekly Update 18 May 2022
Security Advisory OpenSSL vulnerability (CVE-2022-0778) Released Date: 2022-04-27 A Denial-Of-Service Vulnerability in OpenSSL (CVE-2022-0778) has been found recently. The BN_mod_sqrt() function in OpenSSL, which is used for parsing certificates ...Weekly Update 1 May 2024
Network Security A recent report (report link) highlights a large-scale brute-forcing campaign targeting VPN and SSH services. The attackers use various combinations of usernames and passwords to try to log in to the device. If they succeed, they can ...Weekly Update 22 April 2020
Security Advisory Vigor3900 / Vigor2960 / Vigor300BStack-based buffer overflow Vulnerability (CVE-2020-10823 ~ CVE-2020-10828) This is a critical upgrade. You should upgrade affected VigorRouters as soon as possible to firmware v1.5.1 or later to ...Weekly Update 18 April 2023
Latest Videos How to use mOTP for SSL VPN on iPhone This video shows how to quickly set up an SSL VPN tunnel using SmartVPN for an iPhone, and adding mOTP for 2FA authentication. It also shows how to use the internal mOTP generator that has been ...Weekly Update 6 May 2020
Upcoming Webinar DrayTekVPN solutions (Part 1) – Introduction to VPN Tuesday 12th May 2020 at 10:00 am (AEST) Duration 30 Minutes You are invited to attend our next webinar DrayTek VPN Solutions - Part 1 – Introduction to VPN. This is the first of a ...