draytek-Router: undocumented open configuration ports

[Kai Kretschmann <K.Kretschmann () security-gui de>]

We have received a possible security problem with draytek/vigor DSL 
routers of the 2000 and 2200 series.

The draytek 2000 series has an undocumented open port at 56415/tcp. 
The vendor declared this port for use with "smart start wizard", a 
feature one would expect only within the local network, not at the 
internet side.

The draytek 2200 series with newer firmware got a new feature VPN 
which opened another port 1723/tcp even when no VPN is configured at 
all. In our view it should be filtered to allow only the configured 
VPN partners.

The vendor and manufacturer got informed by a draytek user in august 
2001 and confirmed the problem. They didn't solve till now! But they 
replied in a rather uncooperative way:

"An open port itself is no security risk - your own document states 
this. The attacker must know about a known problem behind the open 
port as per the text above. If you are correct in your assessment a 
simple search with Google should  turn up dozens of hacker sites.
I could not find a single reference - neither on Google nor on 
typical hacker sites. So, while I do appreciate the effort you are 
putting into this research I  would also appreciate you using more 
appropriate terms in context with your findings."

One possible workaround is to define one or two additional rules 
within the  draytek firewall settings.
This didn't work well in at least one case and it is for shure the 
wrong way to close unwanted services/ports. The better way will be to 
document it by the manufactor and close the smart start wizard port 
from the outside network.

Think Safety
www.security-gui.de
--
--
Kai Kretschmann k.kretschmann () security-gui de