Security information

The keys for downloading new antivirus patterns from the manufacturer Avira expire on September 30, 2023. In order for you to be able to still use the antivirus function as usual after this date, an LCOS FX update is required, which contains new keys. Without an update to these versions, the antivirus function of the Unified Firewalls will block every invoked website from October 01, 2023, or, depending on manual settings, pass through all data traffic unfiltered.

The keys are updated in the following LCOS FX versions:

• LCOS FX 10.11 RU3
• LCOS FX 10.12 RU3

LANCOM Systems strongly recommends performing an update to the versions mentioned above. These are available to download as of now in the Firewall license portal as well as via the Online updater.

The media has reported a security vulnerability in the error handling of the Border Gateway Protocol (BGP), which allows potential attackers to disrupt network connections in the Internet by sending tampered BGP attributes (see the blog entry of the security researcher).

After an in-depth review, we found that the following LANCOM products are not affected by this vulnerability:

• LANCOM routers with LCOS as of version 10.70
• All LANCOM access points (LCOS and LCOS LX)
• All LANCOM switches (except LANCOM XS-6128QF)
• LANCOM R&S® Unified Firewalls with LCOS FX up to and including version 10.8 (no support for BGP yet)
  • LCOS FX as of version 10.11 RU3 (security vulnerability fixed in the firmware; it can be downloaded in the Firewall license portal as well as via the Online updater)
  • LCOS FX as of version 10.12 RU3 (security vulnerability fixed in the firmware; it can be downloaded in the Firewall license portal as well as via the Online updater)
• LANCOM Management Cloud
• LANtools (LANconfig & LANmonitor)
• LANCOM Advanced VPN Client

According to our analysis, the following products are affected by the vulnerability:

• LANCOM routers with LCOS up to and including version 10.50 (as of september 2023)
• LANCOM XS-6128QF with LCOS SX 5.x
• LANCOM R&S® Unified Firewalls with LCOS FX as of version 10.9
  • up to and including LCOS FX 10.11 RU2 (branch LCOS FX 10.11)
  • up to and including LCOS FX 10.12 RU2 (branch LCOS FX 10.12)

Typically, BGP is not used in the Internet on LANCOM routers and Unified Firewalls as well as the XS-6128QF, but in closed environments and private networks. In addition, LANCOM routers and Unified Firewalls are designed as a VPN or security gateway and not as a router for an Internet node. LANCOM Systems therefore classifies the security risk for the affected LANCOM devices as rather low.                                                                                                                                                                                                                                                                                                

The security vulnerability in the affected products will be fixed with a patch as soon as possible. We will update this page accordingly.

There have been reports in the media about a vulnerability in the SSH agent of OpenSSH up to version 9.3p2 (see also CVE-2023-38408), where an insufficiently trusted search path can be used for remote code execution if an agent is forwarded to an attacker-controlled system.

LANCOM software and hardware products are not affected by this vulnerability, as OpenSSH is either not used at all or the function is not used.

On the website tunnelcrack.mathyvanhoef.com, security specialist Mathy Vanhoef describes in the paper "Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables" two general classes of attacks against VPN clients with which an attacker can cause network traffic from the user's computer (PC, notebook, smartphone), which is actually intended for the VPN tunnel, to inadmissibly bypass the VPN tunnel and reach the local or public network unencrypted.

After extensive analysis, we can report that the LANCOM Advanced VPN Client in its versions for Windows and macOS operating systems are also affected by these attack possibilities.

In our Knowledge Base, we provide our customers with all important information as well as suitable countermeasures.

LANCOM Systems takes customer feedback regarding quality and security of its products very seriously. Through customer feedback, an issue was fixed when using a WLC-Tunnel in combination with Timeframes, which posed a possible vulnerability. You can find additional information regarding this issue in the Release Notes of LCOS LX 6.12.

The issue is fixed in LCOS LX 6.12 Rel. You can download this version from our download area.

WiFi products with LCOS are not affected by this issue.

Various vulnerabilities in web interfaces of CISCO switches have been reported in the media (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161 & CVE-2023-20189, see BSI announcement).

LANCOM Systems switches are not affected by these vulnerabilities.

There are currently reports in the media about a vulnerability in the Service Location Protocol (SLP), through which a potential attacker would be able to execute denial-of-service attacks on the target system (see CVE-2023-29552).

After thorough analysis, we can report that LANCOM hardware and software products are not affected by this vulnerability.

On 22.02.2023 we received news, that our OEM partner for Content-Filtering and Anti-Spam services for the Uniified Firewalls has gone bankrupt, so that the operation of both services can no longer be guaranteed without interruption.

Since 29.03.2023 we have provided our customers with an update to LCOS FX version 10.11, in which a new service has been implemented. We therefore recommend that all customers switch to the new software version LCOS FX 10.11 immediately.

You can obtain the current firmware from the firewall licence portal on our website and via the update functions in the web interface and the LMC.

If you are unable to update to LCOS FX 10.11, please note the following information:

Not affected: Antivirus and Anti-Malware, Application filter, IDS / IPS and all LANCOM UF Basic License features. The Content Filter in LCOS routers is also not affected by this issue. 

Impact of a potential outage:

Should a failure of the Content-Filtering and Anti-Spam services occur, this would have the following effects:

• The Firewall acts, as if both services were deactivated.
• Invoking websites is possible without any limitations.
• E-Mails are forwarded without Spam checking and filtering.

Further measures:

• Usage of the Content Filter in combination with the BPjM module. The BPjM filter uses an official list of websites of the german Bundesprüfstelle für jugendgefährende Medien (BPjM), whose contents are classified as harmful to minors. You can find a Knowledge Base article on how to configure the BPjM filter here.
• Awareness: Information regarding sensitive handling of suspicious E-Mails and especially phishing should be again pointed out clearly.   

If you have any questions regarding this issue feel free to contact us via faq_utm@lancom.de or via phone on +49 (0) 2405 / 49 93 6-210. The answers will be published as a FAQ on our website.

On 27.03.2023 the security specialist Mathy Vanhoef published the paper „Framing Frames“, which details three different WiFi security flaws:

1. "Overriding the Victims Security Context / MAC address stealing attacks"
   
   LANCOM WiFi products with LCOS and LCOS LX are affected by this behavior. LANCOM Systems classifies this security flaw as low, as a potential attacker would already have to be authenticated with the correct login credentials in the network.
   
   LANCOM Systems recommends to separate trusted and untrusted WiFi clients by using different SSIDs and networks (see example configuration in a WLAN-Controller scenario). Furthermore in a scenario with a single access point or WiFi router the attack can be prevented by activating the feature “Protected Management Frames“ (see reference manuals LCOS and LCOS LX).
   
   Regardless we are reviewing the implementation of additional security measures to prevent the execution of this attack in general.
    
2. "Leaking frames from the Queue"
   
   LANCOM WiFi products with LCOS and LCOS LX are not affected by this behavior.
    
3. "Abusing the queue for Network Disruptions"
   
   This security flaw is based on a flaw within the 802.11 standard. LANCOM WiFi products with LCOS and LCOS LX are therefore affected by this behavior.
   
   LANCOM Systems is reviewing the implementation of additional security measures to prevent the execution of this attack in general.

We have gathered additional information regarding the individual security flaws in this Knowledge Base article.

At the beginning of February, several vulnerabilities in OpenSSL were published. This makes it possible, among other things, to read memory contents when CRL checking is activated or to carry out a DoS attack (see OpenSSL Security Advisory).

LANCOM products are affected and updates are available:

• LCOS 10.72 SU2 - available as of  28.02.2023
• LCOS 10.50 RU10 - available since 27.02.2023
• LCOS 10.42 SU10 - available as of  28.02.2023
• LCOS FX 10.11 Rel - available as of  29.03.2023
• LCOS LX 6.10 Rel - available as of 28.02.2023
• LCOS LX 5.38 SU1 - available as of 16.03.2023
• LCOS LX 5.36 SU2 - available as of 09.03.2023
• LCOS SX 4.20 REL - available as of 23.03.2023
• LCOS SX 5.20 RU3 - available as of 15.06.2023

The following LANCOM products are not affected:

• LANCOM Management Cloud
• Devices with LCOS SX 3.34 RU2

Note regarding LCOS LX and LCOS SX:

These are not affected by the vulnerability CVE-2023-0286 rated as "High", as the relevant function is not used. The remaining vulnerabilities are rated "Moderate" and will be closed in the next update (see above). This note will be updated as soon as the release dates are fixed.

Note on obtaining the updates:

• The firmware files for LCOS, LCOS LX and LCOS SX are available for download from our website. 
• The firmware files for LCOS FX are available in our licence portal.

Update 15.02.2023:

Since a few days news referring to this security vulnerability has been published in the media and can thus give the impression, that this vulnerabilty has reappeared. However, it is just an update in the SUSE Linux kernel.

On LANCOM access points and WiFi routers the security vulnerability has been fixed with the firmware versions mentioned in the original message.

Original message from 11.05.2021:

The security researcher Mathy Vanhoef published vulnerabilities in the WLAN standard IEEE 802.11 and its implementations in a report. These vulnerabilities affect large parts of the WLAN industry. Vulnerabilities in the "Frame Aggregation" & "Frame Fragmentation" functions:

LANCOM products are affected by the following CVEs:

• CVE-2020-24588
• CVE-2020-26144
• CVE-2020-26146
• CVE-2020-26147

These vulnerabilities have been fixed in LANCOM WLAN products that are operated with LCOS as of LCOS 10.42 REL . The corresponding security patch is also included in the following LCOS versions:

• LCOS 10.34 RU3
• LCOS 10.20 SU11
• LCOS 10.12 SU16 (only for devices which do not support newer firmware anymore)

With LANCOM access points of the type LW-500 the vulnerabilities have been fixed as of LCOS LX 5.30 RU2. The security patch as of firmware version 5.30 SU3 is available for Wi-Fi 6-capable LANCOM access points of the type LW-600 and LX-6400/6402. LANCOM Systems recommends updating to the firmware versions mentioned. The LCOS Firmware 10.12 SU16 and LCOS LX 5.30 SU3 can be downloaded free of charge from the LANCOM Website from May 12, 2021. In the LANCOM Management Cloud, all patches are available now or immediately after release. If you use the LANconfig auto-updater, the availability may take some time. For older products that no longer receive this security patch, we recommend migrating to new WLAN technologies in the medium term.

In October 2022 various security vulnerabilities in the Linux kernel were published (CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42722), which allow the execution of any code (Remote Code Execution) or can cause a device crash (Denial of Service).

LANCOM Wi-Fi routers and Access Points are not affected by this behaviour.

There are currently reports in the media about several vulnerabilities in OpenSSL 3.0, which have been fixed by the "OpenSSL Project" with the security patch 3.0.7 released on November 2, 2022.

After thorough analysis, we can report that LANCOM operating systems (all LCOS versions) and devices as well as the Advanced VPN Client and the LANtools are not affected by the vulnerabilities.

The LMC is currently still being evaluated. As soon as a result is available, it will be published in this release.

LANCOM Systems takes customer feedback regarding quality and security of its products very seriously. Through customer feedback, a behavior on a LANCOM GS-2352(P) switch was identified. This only affects the GS-2352(P), but not the rest of the GS-23xx series switches or other switch series.

If a device connected to the switch ports 1 – 24 sends a packet to the switch, it is also mirrored to the ports 25 – 50. This only affects packets destined for the switch itself but not data traffic destined for other network devices.

Therefore, LANCOM Systems recommends to always use secure and encrypted communication protocols for operating and managing its products. On a GS-23xx series switch, several insecure protocols can be used with default settings. LANCOM Systems therefore strongly recommends to adjust the security settings on the switch, if not already implemented. The procedure is described in this Knowledge Base article.

The media have reported a vulnerability in the OpenSSL library that allows an attacker to perform a DoS attack on the target system using crafted TLS certificates (see CVE-2022-0778).

LANCOM products are affected by this vulnerability due to the OpenSSL versions used. It is recommended to update to the following operating system versions:

• LCOS 10.50 as of version RU7
• LCOS 10.42 as of version RU7
• LCOS 10.34 SU5
• LCOS 10.32.0031 PR (BSI BSZ)
• LCOS FX 10.7 as of version RU2
• LCOS LX as of version 5.36 REL
• LCOS SX as of versions 3.34 REL & 4.00 RU7
• LCOS SX as of version 5.20 RU1

All operating system versions are available as a download on our website.

The LANCOM Management Cloud (LMC) has already been provided with a security patch.

For private LMC instances, the host systems may be affected, not the LANCOM products themselves. In this case, we recommend securing the systems with appropriate patches.

The media report a critical vulnerability in the open source framework of the Java platform "Spring", which has become known as "Spring4Shell" (CVE-2022-22965).

After a thorough analysis we can report that LANCOM operating systems (all LCOS versions) as well as the LANCOM Management Cloud and the LANCOM Advanced VPN Client are not affected by the vulnerability.

There are reports in the media about a security vulnerability in the NetUSB kernel module from the manufacturer KCodes, which can be exploited by attackers to execute code remotely and also to take over systems (see CVE-2021-45388). After thorough analysis, we can report that LANCOM products (hardware, software, LANCOM Management Cloud) and operating systems (all LCOS versions) are not affected by this vulnerability.

The media reports a security vulnerability in the logging library "Log4j", which may allow an attacker to execute own program code on the target system (see CVE-2021-44228). After a thorough analysis, we can report that LANCOM products (hardware, software, LANCOM Management Cloud) and operating systems (all LCOS versions) are not affected by the security vulnerability. If you have any questions, please contact LANCOM Support.