babis3g wrote: most of the devices already are been updated ... which model are you looking for?

Hi babis3g,

I know you've suggested that "most of the devices have been updated", but of the list below can you please specifically identify which devices from the list have officially been updated. That would make it clear for anyone who's reading this post, or for anyone who owns one of the listed devices who is equally concerned about security flaws.

I can see that no official updates have been posted on the same article relevant to the listed devices to clarify whether the issue on the devices below have since been resolved, which is even more reason to have a relevant topic for this in the announcement page .


Official List
Vigor2860 series | v3.7.8
Vigor2925 series | v3.7.8
Vigor2760 Delight series | v3.7.8
Vigor130 | v3.7.8
Vigor 2130 series | v1.5.4.2
Vigor2760 series | v1.2.1.2
Vigor2912 series | v3.7.5.4
Vigor2120 series | v3.7.5.3
Vigor2830 series | v3.6.8
Vigor2920 series | v3.6.8
Vigor2110 series | v3.6.8
Vigor3200 series | v3.6.8
Vigor2710 series | v3.6.8
Vigor2850 series | v3.6.8
VigorAP900 | v1.1.5
VigorAP810 | v1.1.2
VigorAP710 | v1.1.2
Vigor3900 - Vigor2960 - Vigor300B | v1.0.9
VigorACS SI | v1.1.6
Smart VPN client | v4.3.2

Thank you.

Hi, welcome
All the model in this list below
http://www.draytek.com/index.php?option=com_k2&view=item&id=5533&Itemid=293&lang=en
(some have even and a later one firmware with other features fixed)

APART
2110
2710
2830 DB
2850
Vigor ACS SI

21 devices are updated & still other 5 to follow
Can double check here
http://www.draytek.com/index.php?option=com_jumi&view=application&fileid=15&Itemid=583&lang=en

SOUK wrote:
Official List
Vigor2860 series | v3.7.8 -> v3.7.8
Vigor2925 series | v3.7.8 -> 3.7.8.1
Vigor2760 Delight series | v3.7.8 -> 3.7.8
Vigor130 | v3.7.8 -> 3.7.8
Vigor 2130 series | v1.5.4.2 -> 1.5.4.2
Vigor2760 series | v1.2.1.2 -> v1.2.1.2
Vigor2912 series | v3.7.5.4 -> 3.7.5.5
Vigor2120 series | v3.7.5.3 -> 3.7.5.3
Vigor2830 series | v3.6.8 -> 3.6.8
Vigor2920 series | v3.6.8 -> 3.6.8
Vigor2110 series | v3.6.8
Vigor3200 series | v3.6.8 -> 3.6.8
Vigor2710 series | v3.6.8
Vigor2850 series | v3.6.8
VigorAP900 | v1.1.5 -> 1.1.5.1
VigorAP810 | v1.1.2 -> 1.1.2
VigorAP710 | v1.1.2 -> 1.1.2
Vigor3900 - Vigor2960 - Vigor300B | v1.0.9 -> 1.0.9.1 -> 1.0.9.1 -> 1.0.9.1
VigorACS SI | v1.1.6
Smart VPN client | v4.3.2 -> 4.3.2.1

When will the version for Vigor2830 dual band be coming?

Seems like its taking a long time.

SOUK wrote: i find it extremely annoying that Draytek would have been aware of this (or should have been) since back in October 14, 2014 when this vulnerability was made public

DrayTek posted their advisory on 19th October, so I'm not sure what your point is.

Were you expecting them to write new firmware, test it and publish it for a dozen different routers the same day?

SOUK wrote: why has this still not been added to the announcement page on this forum?

Because I didn't add it... If you want formal information, ask DrayTek - this is a user forum and we (the mods) don't offer any SLA

admin wrote:

SOUK wrote: i find it extremely annoying that Draytek would have been aware of this (or should have been) since back in October 14, 2014 when this vulnerability was made public

DrayTek posted their advisory on 19th October, so I'm not sure what your point is.

DrayTek posted their advisory huh..?


Well my product is registered with them and I never received any email notification, heads up or warnings from them or their resellers about any security flaws or announcements. It's almost like them along with many other companies just expect people to randomly stumble on this information, which is ridiculous really.

I guess if they really wanted to be transparent and as a sign of good faith they could have simply created a pop-up on their main draytek.com website, emailed registered owners and made a few social media posts to let existing customers and potential new customers know of the recent flaw and pending fix. Giving them clear incite and awareness, enabling them to make a clear choice as to whether they should continue to use or buy security flawed products.

admin wrote: Were you expecting them to write new firmware, test it and publish it for a dozen different routers the same day?

At which point did I or anyone expect them to resolve the issue in a matter of days, that would be a ridiculous expectation. The point was that Draytek left it 'MONTHS' with no fix, leaving many homes and business's that relied on that method of security for day to day operations at risk. Did they just expect expected us to unplug all affected Draytek equipment from customers sites until they can work out how to fix their flaws for months on end, or did they expect us to leave our customers vulnerable?

I'm assuming that your someone that actually uses Draytek equipment and knows or understands the types of scenarios or places that one could expect to find this type of equipment. So it boggles the brain that you wouldn't really see any urgency for security flaws to be quickly resolved. If you think its okay for a company to sell a product with a specific set of features, boasting levels of security, telling you its secure when its not, I guess more fool you.

admin wrote:

SOUK wrote: why has this still not been added to the announcement page on this forum?

Because I didn't add it... If you want formal information, ask DrayTek - this is a user forum and we (the mods) don't offer any SLA

I would have thought it would have been the 'decent' thing to do, especially as a Draytek community forum. Do you think Draytek forum members don't want to know if their products have security flaws?