Security information

At the beginning of February, several vulnerabilities in OpenSSL were published. This makes it possible, among other things, to read memory contents when CRL checking is activated or to carry out a DoS attack (see OpenSSL Security Advisory).

LANCOM products are affected and updates will be made available as soon as possible:

• LCOS 10.72 SU2 - available as of  28.02.2023
• LCOS 10.50 RU10 - available since 27.02.2023
• LCOS 10.42 SU10 - available as of  28.02.2023
• LCOS FX 10.11 Rel - March 2023
• LCOS LX 6.10 Rel - available as of 28.02.2023
• LCOS LX 5.38 SU1 - available as of 16.03.2023
• LCOS LX 5.36 SU2 - available as of 09.03.2023
• LCOS SX 4.20 REL - March 2023
• LCOS SX 5.20 RU3 - April 2023

The following LANCOM products are not affected:

• LANCOM Management Cloud
• Devices with LCOS SX 3.34 RU2

Note regarding LCOS LX and LCOS SX:

These are not affected by the vulnerability CVE-2023-0286 rated as "High", as the relevant function is not used. The remaining vulnerabilities are rated "Moderate" and will be closed in the next update (see above). This note will be updated as soon as the release dates are fixed.

Note on obtaining the updates:

• The firmware files for LCOS, LCOS LX and LCOS SX are available for download from our website. 
• The firmware files for LCOS FX are available in our licence portal.

On 22.02.2023 we received news, that our OEM partner for Content-Filtering and Anti-Spam services for the Uniified Firewalls has gone bankrupt, so that the operation of both services can no longer be guaranteed without interruption. The services are currently online and under observation.

Not affected: Antivirus and Anti-Malware, Application filter, IDS / IPS and all LANCOM UF Basic License features

The Content Filter in LCOS routers is also not affected by this issue. 
 

Impact of a potential outage:

Should a failure of the Content-Filtering and Anti-Spam services occur, this would have the following effects:

• The Firewall acts, as if both services were deactivated.
• Invoking websites is possible without any limitations.
• E-Mails are forwarded without Spam checking and filtering.

Preventive measures:

• Usage of the Content Filter in combination with the BPjM module. The BPjM filter uses an official list of websites of the german Bundesprüfstelle für jugendgefährende Medien (BPjM), whose contents are classified as harmful to minors. You can find a Knowledge Base article on how to configure the BPjM filter here.
• Awareness: Information regarding sensitive handling of suspicious E-Mails and especially phishing should be again pointed out clearly.   

Our further course of action:

• Current information in case of an outage will be published on this page.
• The new service will be implemented in LCOS FX 10.11, which has an expected release date in march 2023 An update is necessary to use the firewall with Content Filtering and Anti Spam services.

If you have any questions regarding this issue feel free to contact us via faq_utm@lancom.de or via phone on +49 (0) 2405 / 49 93 6-210. The answers will be published as a FAQ on our website.

Update 15.02.2023:

Since a few days news referring to this security vulnerability has been published in the media and can thus give the impression, that this vulnerabilty has reappeared. However, it is just an update in the SUSE Linux kernel.

On LANCOM access points and WiFi routers the security vulnerability has been fixed with the firmware versions mentioned in the original message.

Original message from 11.05.2021:

The security researcher Mathy Vanhoef published vulnerabilities in the WLAN standard IEEE 802.11 and its implementations in a report. These vulnerabilities affect large parts of the WLAN industry. Vulnerabilities in the "Frame Aggregation" & "Frame Fragmentation" functions:

LANCOM products are affected by the following CVEs:

• CVE-2020-24588
• CVE-2020-26144
• CVE-2020-26146
• CVE-2020-26147

These vulnerabilities have been fixed in LANCOM WLAN products that are operated with LCOS as of LCOS 10.42 REL . The corresponding security patch is also included in the following LCOS versions:

• LCOS 10.34 RU3
• LCOS 10.20 SU11
• LCOS 10.12 SU16 (only for devices which do not support newer firmware anymore)

With LANCOM access points of the type LW-500 the vulnerabilities have been fixed as of LCOS LX 5.30 RU2. The security patch as of firmware version 5.30 SU3 is available for Wi-Fi 6-capable LANCOM access points of the type LW-600 and LX-6400/6402. LANCOM Systems recommends updating to the firmware versions mentioned. The LCOS Firmware 10.12 SU16 and LCOS LX 5.30 SU3 can be downloaded free of charge from the LANCOM Website from May 12, 2021. In the LANCOM Management Cloud, all patches are available now or immediately after release. If you use the LANconfig auto-updater, the availability may take some time. For older products that no longer receive this security patch, we recommend migrating to new WLAN technologies in the medium term.

In October 2022 various security vulnerabilities in the Linux kernel were published (CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42722), which allow the execution of any code (Remote Code Execution) or can cause a device crash (Denial of Service).

LANCOM Wi-Fi routers and Access Points are not affected by this behaviour.

There are currently reports in the media about several vulnerabilities in OpenSSL 3.0, which have been fixed by the "OpenSSL Project" with the security patch 3.0.7 released on November 2, 2022.

After thorough analysis, we can report that LANCOM operating systems (all LCOS versions) and devices as well as the Advanced VPN Client and the LANtools are not affected by the vulnerabilities.

The LMC is currently still being evaluated. As soon as a result is available, it will be published in this release.

LANCOM Systems takes customer feedback regarding quality and security of its products very seriously. Through customer feedback, a behavior on a LANCOM GS-2352(P) switch was identified. This only affects the GS-2352(P), but not the rest of the GS-23xx series switches or other switch series.

If a device connected to the switch ports 1 – 24 sends a packet to the switch, it is also mirrored to the ports 25 – 50. This only affects packets destined for the switch itself but not data traffic destined for other network devices.

Therefore, LANCOM Systems recommends to always use secure and encrypted communication protocols for operating and managing its products. On a GS-23xx series switch, several insecure protocols can be used with default settings. LANCOM Systems therefore strongly recommends to adjust the security settings on the switch, if not already implemented. The procedure is described in this Knowledge Base article.

The media have reported a vulnerability in the OpenSSL library that allows an attacker to perform a DoS attack on the target system using crafted TLS certificates (see CVE-2022-0778).

LANCOM products are affected by this vulnerability due to the OpenSSL versions used. It is recommended to update to the following operating system versions:

• LCOS 10.50 as of version RU7
• LCOS 10.42 as of version RU7
• LCOS 10.34 SU5
• LCOS 10.32.0031 PR (BSI BSZ)
• LCOS FX 10.7 as of version RU2
• LCOS LX as of version 5.36 REL
• LCOS SX as of versions 3.34 REL & 4.00 RU7
• LCOS SX as of version 5.20 RU1

All operating system versions are available as a download on our website.

The LANCOM Management Cloud (LMC) has already been provided with a security patch.

For private LMC instances, the host systems may be affected, not the LANCOM products themselves. In this case, we recommend securing the systems with appropriate patches.

The media report a critical vulnerability in the open source framework of the Java platform "Spring", which has become known as "Spring4Shell" (CVE-2022-22965).

After a thorough analysis we can report that LANCOM operating systems (all LCOS versions) as well as the LANCOM Management Cloud and the LANCOM Advanced VPN Client are not affected by the vulnerability.

There are reports in the media about a security vulnerability in the NetUSB kernel module from the manufacturer KCodes, which can be exploited by attackers to execute code remotely and also to take over systems (see CVE-2021-45388). After thorough analysis, we can report that LANCOM products (hardware, software, LANCOM Management Cloud) and operating systems (all LCOS versions) are not affected by this vulnerability.

The media reports a security vulnerability in the logging library "Log4j", which may allow an attacker to execute own program code on the target system (see CVE-2021-44228). After a thorough analysis, we can report that LANCOM products (hardware, software, LANCOM Management Cloud) and operating systems (all LCOS versions) are not affected by the security vulnerability. If you have any questions, please contact LANCOM Support.