Security information

Current.
Well informed.

General security information

Inform yourself about the latest security advice for your LANCOM products.

Tunnelvision vulnerability (CVE-2024-3661)

On 06.05.2024, the Leviathan Security Group published information regarding the Tunnelvision vulnerability (CVE-2024-3661), which targets end devices with VPN clients. Through this, attackers can assign end devices a static route together with an IP address via the DHCP option 121. In doing so, data traffic bypasses the VPN tunnel and attackers can read the data traffic.

This vulnerability uses the routing in the operating systems of the end devices as an attack vector. Therefore, LANCOM routers, access points, LANCOM R&S®Unified Firewalls as well as the LMC are not affected.

The Advanced VPN Client / LANCOM Trusted Access Client is affected by this vulnerability. However, attackers can only read the initial message of the VPN connection setup. As the company network cannot be reached via the routing entry assigned by the attackers, no communication with this network is possible.

LANCOM Systems recommends the following countermeasures:

  • In public networks, Split Tunneling should not be used and instead all traffic should be routed via the VPN tunnel (option All through the tunnel in the Advanced VPN Client in the used profile under Split Tunneling or All network traffic (LANCOM Trusted Internet Access - Full Tunnel) in the configuration of the LANCOM Trusted Access Client under Security - LANCOM Trusted Access - Client configuration).
  • On a mobile phone, a hotspot can be established and the notebook can be connected to the hotspot. As the network is controlled by the mobile phone, attackers should not have access to this network. If the notebook features an integrated cellular modem, it can also be connected directly with the Internet.

SSID Confusion Attack – CVE-2023-52424

On 14.05.2024 the security researcher Mathy Vanhoef published information regarding a vulnerability in the Wi-Fi standard in his paper SSID Confusion: Making Wi-Fi Clients connect to the Wrong Network. It describes, how an attacker can direct a Wi-Fi client to another SSID on a „Rogue AP“ via a man-in-the-middle attack, if the same login credentials are used (this configuration is sometimes used in eduroam scenarios).

In his paper Mathy Vanhoef reports, that some VPN clients deactivate the VPN connection in known/secure networks. As a result supposedly secure communication can be recorded by an attacker. The Advanced VPN Client / LANCOM Trusted Access Client also uses a mechanism to recognize known/secure networks, however it does not work based on wireless networks (SSIDs). Therefore, the behavior observed by Mathy Vanhoef cannot occur with the Advanced VPN Client / LANCOM Trusted Access Client.

As this is a vulnerability in the Wi-Fi standard, it can also be exploited with LANCOM products when using 802.1X and under certain conditions also WPA3. If the Wi-Fi standard is updated, LANCOM Systems will make adjustments in the firmware as quickly as possible.

LANCOM Systems therefore recommends using WPA2 or – if possible – using Wi-Fi networks with different login credentials.


Password of the administrator „root“ is reset after writing a full configuration with a further administrator

Through customer feedback we were able to fix a security flaw in LCOS, through which the password of the administrator “root” is reset – and therefore deleted - after writing a full configuration (e.g. an *.lcf file) with a further administrator with supervisor rights.

LCOS is affected as of version 10.80 RU1 by this security flaw. Lower LCOS versions as well as other LANCOM operating systems are not affected. The behavior has been fixed in the LCOS version 10.80 SU4.

Unauthorized access to the router from the WAN (Internet) is not possible through this security vulnerability.

In Public Spot scenarios with a separate guest network with VLAN or a WLC-Tunnel management access from the guest network to the access points is not possible and therefore the risk is eliminated.


Security vulnerability fixed in LCOS 10.80 SU4:

LANCOM Systems strongly recommends to install the error corrected LCOS version 10.80 SU4 (download).


Information on the vulnerability "HTTP/2 CONTINUATION Flood" (VU#421644)

The media report on a security vulnerability in which the unauthorised processing of HTTP/2 headers and continuation frames enables DoS attacks based on network bandwidth or CPU utilisation.

The details of this vulnerability are summarised in the blog of security researcher Bartek Nowotarski.

LANCOM software and hardware products are not affected by this vulnerability, as the HTTP/2 protocol is not used there.


Information regarding the „Backdoor in the XZ Utils (CVE-2024-3094)“

On 29.03.2024, information regarding a backdoor in the XZ Utils was published (CVE-2024-3094), through which attackers could execute their own code (Remote Code Execution).

LANCOM hardware and software products are not affected by this vulnerability.


Information regarding the "Terrapin" security vulnerability in the SSH protocol (CVE-2023-48795)

The media reports about a security vulnerability in the SSH protocol (CVE-2023-48795), which was published by scientists of the Ruhr University Bochum under the name "Terrapin attack".

This is a vulnerability in the SSH protocol standard that allows an attacker to use a “man-in-the-middle” attack to remove data from a secure SSH connection in order to reduce the security of the connection.

The following LANCOM products and operating systems are affected by the vulnerability:

  • LCOS
    • The security vulnerability is fixed in LCOS 10.42 SU13 (download).
    • The security vulnerability is fixed in LCOS 10.50 RU13 (download).
    • The security vulnerability is fixed in LCOS 10.72 RU7 (download).
    • The security vulnerability is fixed in LCOS 10.80 RU2 (download).
  • LCOS FX
    • The security vulnerability is fixed in LCOS FX 10.13 RU3 (download).
  • LCOS LX
    • The security vulnerability is fixed in LCOS LX 6.14 RU1 (download).
  • LCOS SX 4.20
  • LCOS SX 5.20
  • LANconfig
    • The security vulnerability is fixed in LANconfig 10.80 RU3 (download).

The following LANCOM operating systems are not affected by the vulnerability:

  • LCOS SX 3.34
  • LCOS SX 4.00

LANCOM Systems will update the affected products with security patches shortly.

As an immediate measure, LANCOM Systems recommends using the encryption modes AES-GCM or AES-CTR (without Encrypt-then-MAC) for SSH connections, as these modes are not affected by the vulnerability (with LCOS SX 5.20 only possible as of version 5.20 RU7). You can find information regarding the configuration in this Knowledge Base article.

Due to the fact, that “man-in-the-middle” skills are needed to exploit the vulnerability (high attack complexity) and also an encryption mode affected by the vulnerability has to be used (see recommendation), the threat level is not considered critical.


Firmware update of LANCOM R&S®Unified Firewalls required due to new keys for the Avira antivirus engine

The keys for downloading new antivirus patterns from the manufacturer Avira expire on September 30, 2023. In order for you to be able to still use the antivirus function as usual after this date, an LCOS FX update is required, which contains new keys. Without an update to these versions, the antivirus function of the Unified Firewalls will block every invoked website from October 01, 2023, or, depending on manual settings, pass through all data traffic unfiltered.

The keys are updated in the following LCOS FX versions:

  • LCOS FX 10.11 RU3
  • LCOS FX 10.12 RU3

LANCOM Systems strongly recommends performing an update to the versions mentioned above. These are available to download as of now in the Firewall license portal as well as via the Online updater.


Information regarding a security vulnerability in the Border Gateway Protocol (BGP) (VU#347067)

The media has reported a security vulnerability in the error handling of the Border Gateway Protocol (BGP), which allows potential attackers to disrupt network connections in the Internet by sending tampered BGP attributes (see the blog entry of the security researcher).

After an in-depth review, we found that the following LANCOM products are not affected by this vulnerability:

  • All LANCOM access points (LCOS and LCOS LX)
  • All LANCOM switches (except LANCOM XS-6128QF)
  • LANCOM R&S® Unified Firewalls with LCOS FX up to and including version 10.8 (no support for BGP yet)
  • LANCOM Management Cloud
  • LANtools (LANconfig & LANmonitor)
  • LANCOM Advanced VPN Client

According to our analysis, the following products are affected by the vulnerability:

  • LANCOM routers with LCOS up to and including version 10.80 REL (as of November 2023)
    • The behaviour is fixed as of LCOS versions 10.72 RU6 and 10.80 RU1.
  • LANCOM XS-6128QF with LCOS SX 5.x
  • LANCOM R&S® Unified Firewalls with LCOS FX as of version 10.9
    • up to and including LCOS FX 10.11 RU2 (branch LCOS FX 10.11)
    • up to and including LCOS FX 10.12 RU2 (branch LCOS FX 10.12)

Typically, BGP is not used in the Internet on LANCOM routers and Unified Firewalls as well as the XS-6128QF, but in closed environments and private networks. In addition, LANCOM routers and Unified Firewalls are designed as a VPN or security gateway and not as a router for an Internet node. LANCOM Systems therefore classifies the security risk for the affected LANCOM devices as rather low.                                                                                                                                                                                                                                                                                                

The security vulnerability in the affected products will be fixed with a patch as soon as possible. We will update this page accordingly.


Information about a security vulnerability in OpenSSH (CVE-2023-38408)

There have been reports in the media about a vulnerability in the SSH agent of OpenSSH up to version 9.3p2 (see also CVE-2023-38408), where an insufficiently trusted search path can be used for remote code execution if an agent is forwarded to an attacker-controlled system.

LANCOM software and hardware products are not affected by this vulnerability, as OpenSSH is either not used at all or the function is not used.


Information on the paper "Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables" by Mathy Vanhoef (VU#563667)

On the website tunnelcrack.mathyvanhoef.com, security specialist Mathy Vanhoef describes in the paper "Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables" two general classes of attacks against VPN clients with which an attacker can cause network traffic from the user's computer (PC, notebook, smartphone), which is actually intended for the VPN tunnel, to inadmissibly bypass the VPN tunnel and reach the local or public network unencrypted.

After extensive analysis, we can report that the LANCOM Advanced VPN Client in its versions for Windows and macOS operating systems are also affected by these attack possibilities.

In our Knowledge Base, we provide our customers with all important information as well as suitable countermeasures.


Possible security vulnerability when using a WLC-Tunnel with LCOS LX access points

LANCOM Systems takes customer feedback regarding quality and security of its products very seriously. Through customer feedback, an issue was fixed when using a WLC-Tunnel in combination with Timeframes, which posed a possible vulnerability. You can find additional information regarding this issue in the Release Notes of LCOS LX 6.12.

The issue is fixed in LCOS LX 6.12 Rel. You can download this version from our download area.

WiFi products with LCOS are not affected by this issue.


Information on vulnerabilities in WEB interfaces of CISCO switches

Various vulnerabilities in web interfaces of CISCO switches have been reported in the media (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161 & CVE-2023-20189, see BSI announcement).

LANCOM Systems switches are not affected by these vulnerabilities.


Information on a vulnerability in Service Location Protocol (CVE-2023-29552)

There are currently reports in the media about a vulnerability in the Service Location Protocol (SLP), through which a potential attacker would be able to execute denial-of-service attacks on the target system (see CVE-2023-29552).

After thorough analysis, we can report that LANCOM hardware and software products are not affected by this vulnerability.


Urgent recommendation for Unified Firewall customers

On 22.02.2023 we received news, that our OEM partner for Content-Filtering and Anti-Spam services for the Uniified Firewalls has gone bankrupt, so that the operation of both services can no longer be guaranteed without interruption.

Since 29.03.2023 we have provided our customers with an update to LCOS FX version 10.11, in which a new service has been implemented. We therefore recommend that all customers switch to the new software version LCOS FX 10.11 immediately.

You can obtain the current firmware from the firewall licence portal on our website and via the update functions in the web interface and the LMC.

 

If you are unable to update to LCOS FX 10.11, please note the following information:

Not affected: Antivirus and Anti-Malware, Application filter, IDS / IPS and all LANCOM UF Basic License features. The Content Filter in LCOS routers is also not affected by this issue. 

Impact of a potential outage:

Should a failure of the Content-Filtering and Anti-Spam services occur, this would have the following effects:

  • The Firewall acts, as if both services were deactivated.
  • Invoking websites is possible without any limitations.
  • E-Mails are forwarded without Spam checking and filtering.

Further measures:

  • Usage of the Content Filter in combination with the BPjM module. The BPjM filter uses an official list of websites of the german Bundesprüfstelle für jugendgefährende Medien (BPjM), whose contents are classified as harmful to minors. You can find a Knowledge Base article on how to configure the BPjM filter here.
  • Awareness: Information regarding sensitive handling of suspicious E-Mails and especially phishing should be again pointed out clearly.   

If you have any questions regarding this issue feel free to contact us via faq_utm@lancom.de or via phone on +49 (0) 2405 / 49 93 6-210. The answers will be published as a FAQ on our website.

Information regarding the paper „Framing Frames“ from Mathy Vanhoef (CVE-2022-47522)

On 27.03.2023 the security specialist Mathy Vanhoef published the paper „Framing Frames“, which details three different WiFi security flaws:

  1. "Overriding the Victims Security Context / MAC address stealing attacks"

    LANCOM WiFi products with LCOS and LCOS LX are affected by this behavior. LANCOM Systems classifies this security flaw as low, as a potential attacker would already have to be authenticated with the correct login credentials in the network.

    LANCOM Systems recommends to separate trusted and untrusted WiFi clients by using different SSIDs and networks (see example configuration in a WLAN-Controller scenario). Furthermore in a scenario with a single access point or WiFi router the attack can be prevented by activating the feature “Protected Management Frames“ (see reference manuals LCOS and LCOS LX).

    Regardless we are reviewing the implementation of additional security measures to prevent the execution of this attack in general.
     
  2. "Leaking frames from the Queue"

    LANCOM WiFi products with LCOS and LCOS LX are not affected by this behavior.
     
  3. "Abusing the queue for Network Disruptions"

    This security flaw is based on a flaw within the 802.11 standard. LANCOM WiFi products with LCOS and LCOS LX are therefore affected by this behavior.

    LANCOM Systems is reviewing the implementation of additional security measures to prevent the execution of this attack in general.


We have gathered additional information regarding the individual security flaws in this Knowledge Base article.


Information about vulnerabilities in OpenSSL (CVE-2023-0286, CVE-2022-4304, CVE-2023-0215 and CVE-2022-4450)

At the beginning of February, several vulnerabilities in OpenSSL were published. This makes it possible, among other things, to read memory contents when CRL checking is activated or to carry out a DoS attack (see OpenSSL Security Advisory).

LANCOM products are affected and updates are available:

  • LCOS 10.72 SU2 - available as of  28.02.2023
  • LCOS 10.50 RU10 - available since 27.02.2023
  • LCOS 10.42 SU10 - available as of  28.02.2023
  • LCOS FX 10.11 Rel - available as of  29.03.2023
  • LCOS LX 6.10 Rel - available as of 28.02.2023
  • LCOS LX 5.38 SU1 - available as of 16.03.2023
  • LCOS LX 5.36 SU2 - available as of 09.03.2023
  • LCOS SX 4.20 REL - available as of 23.03.2023
  • LCOS SX 5.20 RU3 - available as of 15.06.2023

The following LANCOM products are not affected:

  • LANCOM Management Cloud
  • Devices with LCOS SX 3.34 RU2

Note regarding LCOS LX and LCOS SX:

These are not affected by the vulnerability CVE-2023-0286 rated as "High", as the relevant function is not used. The remaining vulnerabilities are rated "Moderate" and will be closed in the next update (see above). This note will be updated as soon as the release dates are fixed.

Note on obtaining the updates:


WLAN vulnerability "Fragattacks" - LANCOM provides patches

Update 15.02.2023:

Since a few days news referring to this security vulnerability has been published in the media and can thus give the impression, that this vulnerabilty has reappeared. However, it is just an update in the SUSE Linux kernel.

On LANCOM access points and WiFi routers the security vulnerability has been fixed with the firmware versions mentioned in the original message.

 

Original message from 11.05.2021:

The security researcher Mathy Vanhoef published vulnerabilities in the WLAN standard IEEE 802.11 and its implementations in a report. These vulnerabilities affect large parts of the WLAN industry. Vulnerabilities in the "Frame Aggregation" & "Frame Fragmentation" functions:

LANCOM products are affected by the following CVEs:

These vulnerabilities have been fixed in LANCOM WLAN products that are operated with LCOS as of LCOS 10.42 REL . The corresponding security patch is also included in the following LCOS versions:

With LANCOM access points of the type LW-500 the vulnerabilities have been fixed as of LCOS LX 5.30 RU2. The security patch as of firmware version 5.30 SU3 is available for Wi-Fi 6-capable LANCOM access points of the type LW-600 and LX-6400/6402. LANCOM Systems recommends updating to the firmware versions mentioned. The LCOS Firmware 10.12 SU16 and LCOS LX 5.30 SU3 can be downloaded free of charge from the LANCOM Website from May 12, 2021. In the LANCOM Management Cloud, all patches are available now or immediately after release. If you use the LANconfig auto-updater, the availability may take some time. For older products that no longer receive this security patch, we recommend migrating to new WLAN technologies in the medium term.

Various WLAN security vulnerabilities in the Linux kernel (RCE/DoS)

In October 2022 various security vulnerabilities in the Linux kernel were published (CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42722), which allow the execution of any code (Remote Code Execution) or can cause a device crash (Denial of Service).

LANCOM Wi-Fi routers and Access Points are not affected by this behaviour.


Information about vulnerabilities in OpenSSL 3.0

There are currently reports in the media about several vulnerabilities in OpenSSL 3.0, which have been fixed by the "OpenSSL Project" with the security patch 3.0.7 released on November 2, 2022.

After thorough analysis, we can report that LANCOM operating systems (all LCOS versions) and devices as well as the Advanced VPN Client and the LANtools are not affected by the vulnerabilities.

The LMC is currently still being evaluated. As soon as a result is available, it will be published in this release.


Security flaw in GS-2352(P)

LANCOM Systems takes customer feedback regarding quality and security of its products very seriously. Through customer feedback, a behavior on a LANCOM GS-2352(P) switch was identified. This only affects the GS-2352(P), but not the rest of the GS-23xx series switches or other switch series.

If a device connected to the switch ports 1 – 24 sends a packet to the switch, it is also mirrored to the ports 25 – 50. This only affects packets destined for the switch itself but not data traffic destined for other network devices.

Therefore, LANCOM Systems recommends to always use secure and encrypted communication protocols for operating and managing its products. On a GS-23xx series switch, several insecure protocols can be used with default settings. LANCOM Systems therefore strongly recommends to adjust the security settings on the switch, if not already implemented. The procedure is described in this Knowledge Base article.


Informations on a vulnerability in the OpenSSL library (CVE-2022-0778)

The media have reported a vulnerability in the OpenSSL library that allows an attacker to perform a DoS attack on the target system using crafted TLS certificates (see CVE-2022-0778).

LANCOM products are affected by this vulnerability due to the OpenSSL versions used. It is recommended to update to the following operating system versions:

  • LCOS 10.50 as of version RU7
  • LCOS 10.42 as of version RU7
  • LCOS 10.34 SU5
  • LCOS 10.32.0031 PR (BSI BSZ)
  • LCOS FX 10.7 as of version RU2
  • LCOS LX as of version 5.36 REL
  • LCOS SX as of versions 3.34 REL & 4.00 RU7
  • LCOS SX as of version 5.20 RU1

All operating system versions are available as a download on our website.

The LANCOM Management Cloud (LMC) has already been provided with a security patch.

For private LMC instances, the host systems may be affected, not the LANCOM products themselves. In this case, we recommend securing the systems with appropriate patches.


Information on the "Spring4Shell" vulnerability (CVE-2022-22965)

The media report a critical vulnerability in the open source framework of the Java platform "Spring", which has become known as "Spring4Shell" (CVE-2022-22965).

After a thorough analysis we can report that LANCOM operating systems (all LCOS versions) as well as the LANCOM Management Cloud and the LANCOM Advanced VPN Client are not affected by the vulnerability.


Information about the vulnerability in the KCodes NetUSB kernel module (CVE-2021-45388)

There are reports in the media about a security vulnerability in the NetUSB kernel module from the manufacturer KCodes, which can be exploited by attackers to execute code remotely and also to take over systems (see CVE-2021-45388). After thorough analysis, we can report that LANCOM products (hardware, software, LANCOM Management Cloud) and operating systems (all LCOS versions) are not affected by this vulnerability.


Informations about the vulnerability in "Log4j" logging library (CVE-2021-44228)

The media reports a security vulnerability in the logging library "Log4j", which may allow an attacker to execute own program code on the target system (see CVE-2021-44228). After a thorough analysis, we can report that LANCOM products (hardware, software, LANCOM Management Cloud) and operating systems (all LCOS versions) are not affected by the security vulnerability. If you have any questions, please contact LANCOM Support.