General security information

10/19/17

Important security notice about KRACK in the context of P2P and WDS

(Update from 23.10.2017 – security updates available)

In addition to the usual operating modes within buildings, LANCOM access points enable the establishment of radio links or wireless distribution systems (WDS). Corresponding point-to-point or point-to-multipoint connections (P2P) are generally used in outdoor installations, among other things for broadband provision or the networking of open spaces.

 

The handshake method used to connect an access point with a WLAN client is also used for P2P scenarios, so in principle these installations are also prone to the WPA-2 vulnerability. However - partly due to the lack of roaming - the execution of an attack would be far more complex, so in effect the actual risk of attack is extremely low. Nevertheless, access points in P2P and WDS installations should also be updated as soon as patches become available.

 

Please install appropriate LCOS security updates for your access points and WLAN routers (download area).

 

Find more infos on our FAQ page

Overview - Recommended actions for LANCOM devices

10/16/17

Krack: Important notice about the security loophole in WPA-2

(Update from 23.10.2017 – security updates available)

At the previous weekend, the first reports appeared about a security vulnerability named “KRACK” that relates to the WPA2 encryption of Wi-Fi products. Under particular conditions, Wi-Fi data may be intercepted by unauthorized parties.

 

The attack targets the WPA authentication handshake and it specifically concerns 802.11r (Roaming Acceleration), Station Mode (Wi-Fi client mode, AutoWDS), and the 802.11s standard. It exploits an inexactness in the protocol specification and basically affects all manufacturers who support the corresponding protocols and operating modes.

 

An attack intercepts the connection between exactly one client and its access point or WLAN router (unicast). In principle, group keys for broadcast and multicast traffic are vulnerable too, but they are often filtered, converted into unicast, and they usually do not contain sensitive data.

 

802.11s is not supported by LANCOM Wi-Fi products. The 802.11r and Station Mode features in our products are deactivated by default. All LANCOM products for which these parameters and operating modes have not explicitly been enabled are unaffected by KRACK. Also, by default LANconfig, WEBconfig and the LANCOM Management Cloud do not activate these functions.

 

However, internal tests have shown that LANCOM Wi-Fi devices with 802.11r manually or subsequently activated are potentially vulnerable to KRACK. The same applies to 802.11ac access points or routers in station mode and P2P routes.

 

Please install appropriate LCOS security updates for your access points and WLAN routers (download area).

 

LANCOM products are not affected by the other vulnerabilities exploited by KRACK.

 

Also, please check with the manufacturer of your Wi-Fi clients for the availability of updates. These devices need to be updated too. However, a compromised client presents no threat to any other clients.

 

Find more infos on our FAQ page

Overview - Recommended actions for LANCOM devices

06/19/17

CherryBlossom: LANCOM WLAN routers & access points secure against CIA exploits

On Thursday, Wikileaks revealed a CIA spy tool codenamed "CherryBlossom". Wi-Fi devices from numerous manufacturers have been compromised by the injection of manipulated firmware.

 

According to the documents now published, CherryBlossom infects Wi-Fi routers and access points is capable of passing on sensitive data and information to third parties, including passwords.

 

LANCOM WLAN routers and access points are not affected by CherryBlossom. The tool is a Linux-based program that only runs on the corresponding devices. All LANCOM WLAN devices use the LANCOM closed-source operating system LCOS, and as a consequence it cannot be run on LANCOM devices.

 

More information about CherryBlossom and a list of affected manufacturers and models is available on the relevant Wikileaks page: https://wikileaks.org/vault7/#Cherry%20Blossom

 

12/01/16

Worldwide hacker attack on DSL devices: LANCOM routers unaffected

UPDATE 12/01/2016

Over the past few days the media has been reporting on an apparently worldwide attack on DSL routers via the TR-069 remote management port. One effect of this was that customers of Deutsche Telekom have suffered connection failures on a massive scale.

 

LANCOM routers were unaffected by these attacks. By default, our routers do not support the TR-069 remote management protocol. This is only used if customers explicitly request it. To the best of our knowledge, no impairments have been experienced here either.

 

Detailed information about the attack is available from infoworld.com.

02/17/16

Security vulnerability glibc: LANCOM routers and switches are secure

Currently media reports are publicizing the threat from the glibc vulnerability in Linux networking software.

 

LANCOM routers are not affected by this security vulnerability as they do not use a Linux-based operating system. LANCOM routers exclusively use the closed-source operating system LCOS. The glibc library is not used in LANCOM routers and a proprietary process is used for DNS resolution. With LANCOM switches the glibc library is also not used.

 

Since the LANCOM Management Systems Large Scale Monitor (LSM) and Large Scale Rollout (LSR) are operated under Linux, LANCOM Systems recommends upgrading the linux-own glibc library on these systems. Instructions are available in the following KnowledgeBase article.

01/19/16

UPDATE Security Advisory: Potential vulnerability of SSH- and SSL keys

November 2015 the German news channel heise online published this article on the potential vulnerability of SSH- and SSL keys (German only):

 

http://www.heise.de/newsticker/meldung/House-of-Keys-Millionen-von-Geraeten-mit-kompromittierten-Krypto-Schluesseln-im-Netz-3025416.html.

 

To sum it up, millions of IT products are potentially vulnerable to so-called "Man-in-the-Middle" attacks when being accessed via the management protocols SSH and SSL. An attacker recording the respective data traffic (configuration and access data) can thus be enabled to decrypt transmitted data. This is due to the industry-wide practice that the underlying keys and certificates are not individually assigned per device but rather identical for product families. Such an attack cannot be conducted trivially and is adhered to further conditions.

 

This is an industry-wide security issue of which all renowned vendors are affected - so is LANCOM Systems.

 

LANCOM System offers free LCOS Security Updates which execute an automatic creation of individual SSH- and SSL keys for each device, if such keys are not already active in the device.

 

According to present knowledge, this vulnerability has not been exploited for an attack so far. LANCOM Systems still assesses this threat as medium and recommends to check whether your products are potentially affected and to implements the described measures.

 

This KnowledgeBase article comprises a list of all LANCOM devices with guidances for the creation of individual SSH- and SSL keys.

 

The described measures will fix this vulnerability.