Networking hardware manufacturer DrayTek is warning that its routers are vulnerable to an exploit allowing an attacker to change Domain Name System (DNS) settings to hijack web traffic and steal personal information.
Draytek’s security bulletin on the matter contains no explanation of the vulnerability, but advises all customers using its routers to change their administrator passwords immediately
Draytek also advises all of its router users to check their DNS settings right away. If there is any change, you may have been hit by an attacker using the exploit. Keep an eye out for the DNS server 188.8.131.52, which Draytek said is a known rogue server.
Unaffected by the exploit are DrayTek VigorAP wireless access points, VigorSwitch network switches, and Vigor routers of the following series: 2950, 2955, 2960, 3900, and 3300.
DNS attacks are incredibly dangerous because they affect the way computers connect to the internet. If someone can take control of that, they can track every bit of information that comes and goes from a computer.
SEE: Auditing and logging policy (Tech Pro Research)
Computers use DNS to match a domain name to the IP address associated with it. Internet service providers (ISPs) and other large companies like Google run their own DNS servers, but it’s easy to set up one of your own that redirects users to fake pages.
In the case of an attack like those targeting DrayTek routers, changing the DNS settings can result in an attacker stealing usernames and passwords, snooping on all the internet traffic at an office, and greatly compromising company security.
How to protect your DrayTek router
If you use a DrayTek router that is affected by the exploit, there are several things you can do to protect it.
- Update your router’s firmware, which DrayTek said it is in the process of releasing for all affected models. Be sure to make a backup of your configuration in case something goes wrong. Note: The update links on Draytek’s website only apply to users in the UK or Ireland.
- Disable remote access to your router if possible. If you require remote access for network admins, establish an access control list to lock out users who haven’t been granted access.
- Always use SSL/TLS1.2 connections, and disable non-secure connections if possible.
- Double check your DNS settings. If you use multiple LAN subnets, check the DNS settings for each one.
DrayTek said, in a statement to SC Magazine, that “there are nearly 800,000 DrayTek routers worldwide,” but didn’t specify if that was affected routers or not. It’s safe to say there are several hundreds of thousands, if not most of the 800,000 mentioned, affected.
You can see a full list of affected models in DrayTek’s security advisory linked above.
The big takeaways for tech leaders:
- DrayTek routers are vulnerable to a DNS attack that could let a remote user change the DNS settings on affected routers.
- Patches are being rolled out now, and DrayTek router users are highly advised to install patches on all routers, affected or not, immediately.
- IT pro’s guide to effective patch management (free PDF) (TechRepublic)
- DNS is about to get into a world of trouble with GDPR (ZDNet)
- Oblivious DNS could protect your internet traffic against snooping (TechRepublic)
- SEC spoofed, malware hosted on US gov’t server in new DNS attack (ZDNet)
- Why your company should consider implementing DNS security extensions (TechRepublic)