Security information

Current.
Well informed.

General security information

Inform yourself about the latest security advice for your LANCOM products.

Various WLAN security vulnerabilities in the Linux kernel (RCE/DoS)

In October 2022 various security vulnerabilities in the Linux kernel were published (CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42722), which allow the execution of any code (Remote Code Execution) or can cause a device crash (Denial of Service).

LANCOM Wi-Fi routers and Access Points are not affected by this behaviour.


Information about vulnerabilities in OpenSSL 3.0

There are currently reports in the media about several vulnerabilities in OpenSSL 3.0, which have been fixed by the "OpenSSL Project" with the security patch 3.0.7 released on November 2, 2022.

After thorough analysis, we can report that LANCOM operating systems (all LCOS versions) and devices as well as the Advanced VPN Client and the LANtools are not affected by the vulnerabilities.

The LMC is currently still being evaluated. As soon as a result is available, it will be published in this release.


Security flaw in GS-2352(P)

LANCOM Systems takes customer feedback regarding quality and security of its products very seriously. Through customer feedback, a behavior on a LANCOM GS-2352(P) switch was identified. This only affects the GS-2352(P), but not the rest of the GS-23xx series switches or other switch series.

If a device connected to the switch ports 1 – 24 sends a packet to the switch, it is also mirrored to the ports 25 – 50. This only affects packets destined for the switch itself but not data traffic destined for other network devices.

Therefore, LANCOM Systems recommends to always use secure and encrypted communication protocols for operating and managing its products. On a GS-23xx series switch, several insecure protocols can be used with default settings. LANCOM Systems therefore strongly recommends to adjust the security settings on the switch, if not already implemented. The procedure is described in this Knowledge Base article.


Informations on a vulnerability in the OpenSSL library (CVE-2022-0778)

The media have reported a vulnerability in the OpenSSL library that allows an attacker to perform a DoS attack on the target system using crafted TLS certificates (see CVE-2022-0778).

LANCOM products are affected by this vulnerability due to the OpenSSL versions used. It is recommended to update to the following operating system versions:

  • LCOS 10.50 as of version RU7
  • LCOS 10.42 as of version RU7
  • LCOS 10.34 SU5
  • LCOS 10.32.0031 PR (BSI BSZ)
  • LCOS FX 10.7 as of version RU2
  • LCOS LX as of version 5.36 REL
  • LCOS SX as of versions 3.34 REL & 4.00 RU7
  • LCOS SX as of version 5.20 RU1

All operating system versions are available as a download on our website.

The LANCOM Management Cloud (LMC) has already been provided with a security patch.

For private LMC instances, the host systems may be affected, not the LANCOM products themselves. In this case, we recommend securing the systems with appropriate patches.


Information on the "Spring4Shell" vulnerability (CVE-2022-22965)

The media report a critical vulnerability in the open source framework of the Java platform "Spring", which has become known as "Spring4Shell" (CVE-2022-22965).

After a thorough analysis we can report that LANCOM operating systems (all LCOS versions) as well as the LANCOM Management Cloud and the LANCOM Advanced VPN Client are not affected by the vulnerability.


Information about the vulnerability in the KCodes NetUSB kernel module (CVE-2021-45388)

There are reports in the media about a security vulnerability in the NetUSB kernel module from the manufacturer KCodes, which can be exploited by attackers to execute code remotely and also to take over systems (see CVE-2021-45388). After thorough analysis, we can report that LANCOM products (hardware, software, LANCOM Management Cloud) and operating systems (all LCOS versions) are not affected by this vulnerability.


Informations about the vulnerability in "Log4j" logging library (CVE-2021-44228)

The media reports a security vulnerability in the logging library "Log4j", which may allow an attacker to execute own program code on the target system (see CVE-2021-44228). After a thorough analysis, we can report that LANCOM products (hardware, software, LANCOM Management Cloud) and operating systems (all LCOS versions) are not affected by the security vulnerability. If you have any questions, please contact LANCOM Support.


Vulnerability in the Apache HTTP server module "mod_proxy" (CVE-2021-40438)

The german BSI informs about a vulnerability in the Apache HTTP server module "mod_proxy", whereby a special uri-path request can cause the HTTP server (httpd) to forward the request to any server (see CVE-2021-40438). LANCOM devices are not affected by this vulnerability.


Fixing of a security vulnerability in LCOS (CVE-2021-33903)

LANCOM Systems has fixed a security vulnerability in SNMP access in LCOS version 10.42 RU4 and 10.50 REL. This behaviour occurred exclusively in LCOS 10.4x versions and is classified as non-critical by us. Further information is available in the LCOS Release Notes on page 9 as well as in this CVE message.


Reports of new Bluetooth security vulnerabilities (Braktooth)

There have been reports in the media about several new Bluetooth security vulnerabilities that have become known as "Braktooth" (more). After thorough analysis we can report that the in LANCOM products Bluetooth chips are not affected by the Braktooth security vulnerabilities, as the function "BT Classic" is not used.


Information on the security vulnerability INFRA:HALT (Nichestack)

There have been reports in the media about the INFRA:HALT security vulnerability, in which vulnerabilities in the TCP/IP stack of industrial devices have been discovered (more). LANCOM products are not affected by this vulnerability as the affected TCP stack is not used.


Security update on LANCOM R&S®Unified Firewalls

The security company SySS has identified a security vulnerability in the internal user portal of the Unified Firewall. This vulnerability was published under CVE-2021-31538. When the internal user portal was active on a Unified Firewall with LCOS FX 10.5.x, unauthorized access to the Unified Firewall could be gained from the local network (LAN). Access from the Internet (WAN) was not possible. LCOS FX versions 10.4.x and lower are not affected by this vulnerability. Additional information can be found on the Pentest blog of SySS. LANCOM Systems has fixed the security vulnerability in LCOS FX 10.6 REL and therefore strongly recommends performing an update to this version. The firmware can be downloaded from the myLANCOM Firewall License Portal.


CERT Publication on Vulnerabilities in Bluetooth Core and Mesh Specifications (CERT VU#799380)

The US-CERT has published a report about vulnerabilities in Bluetooth Core and Mesh specifications on 23rd May 2021 (CERT VU#799380). LANCOM devices are not affected by these vulnerabilities because the corresponding Bluetooth functions are not used.


WLAN vulnerability "Fragattacks" - LANCOM provides patches

The security researcher Mathy Vanhoef published vulnerabilities in the WLAN standard IEEE 802.11 and its implementations in a report. These vulnerabilities affect large parts of the WLAN industry. Vulnerabilities in the "Frame Aggregation" & "Frame Fragmentation" functions:

LANCOM products are affected by the following CVEs:

These vulnerabilities have been fixed in LANCOM WLAN products that are operated with LCOS as of LCOS 10.42 REL . The corresponding security patch is also included in the following LCOS versions:

With LANCOM access points of the type LW-500 the vulnerabilities have been fixed as of LCOS LX 5.30 RU2. The security patch as of firmware version 5.30 SU3 is available for Wi-Fi 6-capable LANCOM access points of the type LW-600 and LX-6400/6402. LANCOM Systems recommends updating to the firmware versions mentioned. The LCOS Firmware 10.12 SU16 and LCOS LX 5.30 SU3 can be downloaded free of charge from the LANCOM Website from May 12, 2021. In the LANCOM Management Cloud, all patches are available now or immediately after release. If you use the LANconfig auto-updater, the availability may take some time. For older products that no longer receive this security patch, we recommend migrating to new WLAN technologies in the medium term.


Voracle security vulerability in SSL VPN implementation with active compression

When using SSL VPN with active compression it is possible to draw conclusions regarding the complexity of the used password via the Voracle security vulnerability when certain requirements are met.

The following operating systems and are therefore not affected:

  • LCOS
  • LCOS LX
  • LCOS SX

LANCOM R&S®Unified Firewalls with LCOS FX support SSL VPN and are only affected when compression is active. The compression is also active by default. LANCOM Systems therefore recommends to generally deactivate the compression for SSL VPN. The procedure is described in the following Knowledge Base article: Deactivating compression for SSL VPN connections on a LANCOM R&S®Unified Firewall
The default settings for the compression will be changed in one of the next LCOS FX versions.


Informations on the "NAT Slipstreaming" vulnerability

The media reported about the acute security gap "NAT slipstreaming", through which devices behind a NAT are attacked by undermining the security architecture of "Application Layer Gateways" (ALG) in Internet routers. LANCOM Systems makes the following recommendations for this vulnerability:

Browser security:
The common web browser providers (e.g. Google, Firefox, Microsoft) have already implemented software patches that prevent outgoing communication via the ports used by the ALGs. LANCOM Systems therefore urgently recommends that you update your browser if you have not already done so.

Use of content filters:
LANCOM products offer a content filter functionality that can restrict access to malicious websites using the blacklist. This can make an attack more difficult.

Deactivation or restriction of unused ALGs:
LANCOM Systems recommends generally deactivating unused ALGs on routers with LCOS or restricting communication. Instructions can be found in this Knowledge Base articleLANCOM Systems is also planning to make adjustments to the standard settings of the ALGs from LCOS versions 10.42 RU3 and 10.34 SU4.

Using the FTP proxy or application management:
On Unified Firewalls with LCOS FX there is the option of using the FTP proxy or application management in addition to the port-based rules. Instructions can be found in this Knowledge Base article.

The following LANCOM products do not contain any ALGs, so there is no further need for action:

  • All access points (LCOS & LCOS LX)
  • All switches with LCOS SX

Report on security vulnerability in the "sudo" command on Linux operating systems (CVE-2021-3156)

The media are currently reporting a Linux security vulnerability in the "sudo" command (CVE-2021-3156), which enables users with restricted rights to extend existing rights in an uncontrolled manner and thus access unauthorized functions.

The following LCOS operating systems are not affected by the reported security vulnerability:

  • LCOS
  • LCOS LX
  • LCOS SX

A user with restricted rights is not provided in LCOS FX, so the security vulnerability has no security-relevant effects here. LANCOM Systems therefore does not rate this as critical for LCOS FX, but will nevertheless publish a corresponding patch in the upcoming firmware version 10.5.3. The LANCOM Management Cloud (LMC) has already been given a security patch. With all other virtual LANCOM products (e.g. LANCOM vRouter) and private LMC instances, the host systems are affected, not the LANCOM products themselves. We recommend that you secure the systems with appropriate patches.


CERT publication on vulnerabilities in the "Dnsmasq" server (CERT VU#434904)

The US-CERT published a report on several vulnerabilities in the "Dnsmasq" server, which can be used in Linux distributions as a combined DNS and DHCP server. The vulnerabilities found could enable an attacker to damage the memory on a target device and to carry out so-called cache poisoning attacks against the target environment. A detailed list and description of all vulnerabilities can be found on the US-CERT website (see CERT VU#434904). LANCOM devices are not affected by the reported weaknesses as the "Dnsmasq" server is not used.


Publication on "Amnesia:33" vulnerability in several open source TCP stacks - LANCOM devices not affected

The company FORESCOUT published a report about vulnerablities in several open source TCP stacks. This is also known as "Amnesia:33"

(CERT VU#815128).

The following four vulnerabilities impact different TCP stacks and allow the execution of malicious code and are therefore particularly critical.

  • CVE-2020-24336 (CVSS-Score 9.8/"Critical", RCE, uIP)
  • CVE-2020-24338 (CVSS-Score 9.8/"Critical", RCE, picoTP)
  • CVE-2020-25111 (CVSS-Score 9.8/"Critical", RCE, Nut/Net)
  • CVE-2020-25112 (CVSS-Score 8.1/"High", RCE, uIP)

LANCOM devices don't use one of these TCP stacks and are therefore not affected.


Security update for LANCOM access switches of the GS-23xx series and GS-3xxx series

LANCOM Systems has released the following LCOS SX security updates for the fully managed access switches of the GS-23xx series and GS-3xxx series.

  • LCOS SX 3.32 SU6 for the switches of the GS-23xx series
  • LCOS SX 4.00 SU3 for the switches of the GS-3xxx series

The update fixes a behavior in which special user inputs via the web interface were not correctly validated. This provoked an abrupt restart of the device. The security updates are now available in the download area of the LANCOM website.


Other WLAN chips affected by security vulnerability "Kr00k" (CVE-2020-3702)

The manufacturer Qualcomm reports in a current security bulletin about WLAN chips that are affected by the "Kr00k" security vulnerability (see also CVE-2020-3702). After a detailed examination it was found that LANCOM products are still not affected by this security vulnerability.


Report on Linux vulnerability in OpenSSH 8.3p1

The media is currently reporting on a Linux vulnerability in OpenSSH 8.3p1 (CVE-2020-15778 that could potentially result in denial of service (DoS) attacks and malicious code execution remotely. The following LCOS operating systems in which OpenSSH 8.3p1 is not used are not affected by the reported vulnerability:

  • LCOS
  • LCOS LX
  • LCOS FX
  • LCOS SX up to version 4.x

OpenSSH 8.3p1 is used in the LCOS SX version 5.00, after extensive testing there is a small residual risk. LANCOM Systems is expected to release a patch as part of the next release by the end of August 2020.


CERT publication on the "Ripple20" vulnerability in the TCP stack (CERT VU#257161)

The US-CERT published a report about a vulnerability in a manufacturer-specific TCP stack, which is also known as "Ripple20" (CERT VU#257161). LANCOM devices and the LANCOM Wireless ePaper solution are not affected by this vulnerability because the affected TCP stack is not usedLANCOM R&S®Unified Firewalls offer the necessary protection against this vulnerability, because they can detect and block the Ripple20 attack packages. Further information can be found in the following article on our website.


CERT publications on vulnerabilities in the Bluetooth pairing mechanism (CERT VU #647177 & VU#534195)

The US-CERT published reports on vulnerabilities in the Bluetooth pairing mechanism (CERT VU#647177 and CERT VU#534195). LANCOM devices are not affected by these vulnerabilities.


Vulnerability LANCOM Public Spot login page - security update available

A German IT security company reported today on the vulnerability-lab.com website about a vulnerability in the LANCOM Public Spot. All LANCOM devices with an activated Public Spot function are affected. The vulnerability enables attackers to run JavaScript code via the login page of the LANCOM Public Spot. If an appropriate code is used, information can be introduced which can be used to attack the system of a Public Spot user by means of a manipulated link.

The following security updates are available for all LCOS versions with the latest software lifecycle management:

  • LCOS 10.12 SU15
  • LCOS 10.20 SU10
  • LCOS 10.32 RU9

The security updates are now available in the download area of the LANCOM website. LANCOM recommends that operators of a public spot install the security updates immediately.


Vulnerability "Kr00k" (CVE-2019-15126): LANCOM products are not affected

The WiFi vulnerability "Kr00k" is currently being reported in the media. This is a problem with WiFi chips from Broadcom and Cypress, through which an attacker is able to decrypt WLAN data transmission encrypted by WPA2 (also see CVE-2019-15126). LANCOM products are not affected by this vulnerability because the WiFi chips from the manufacturers mentioned are not used.


New security update for LANCOM switches of the GS-23xx series: LCOS SX 3.32 SU3

LANCOM actively and continuously checks its products for potential vulnerabilities. Security updates are an important tool for realizing our security strategy. The security update LCOS SX 3.32 SU3 fixes the behaviour that the random generator for generating SSH keys did not generate different host keys sufficiently. How to ensure that sufficient host keys are generated after the firmware update can be read in the following knowledgebase article. The security update is available now from the download area of the LANCOM website.


Security improvement when using IPv6

For continuous security improvement when using IPv6, LANCOM Systems has provided security updates for IPv6 routers. If you do not use IPv6 or you have no VPN connection between IPv6 networks, the update isn’t mandatory. LANCOM Systems generally recommends that you keep your devices up-to-date with the latest firmware.

LANCOM Systems has released the following LCOS security updates:

  • LCOS 10.32 SU3
  • LCOS 10.20 SU9
  • LCOS 10.12 SU14
  • LCOS 9.24 SU12
  • LCOS 9.00 SU8
  • LCOS 8.84 SU11

The security updates are available now from the download area of the LANCOM website.


Update to WPA3-Personal ™ ("Dragonblood") / CERT VU #871675 vulnerability publication

In August 2019 the security researcher Mathy Vanhoef made an update in his paper "Dragonblood: A Security Analysis of WPA3's SAE Handshake". This update describes another way of side-channel attacks through the use of brainpool curves. LANCOM products are not affected by this attack, as brainpool curves are not implemented.


Linux vulnerabilities can crash systems

The media today reported several vulnerabilities that could cause Linux-based systems to crash (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479). LANCOM Systems classifies the risk of these vulnerabilities with LANCOM products as low.

The following LANCOM products may be affected:

  • LANCOM Unified Firewalls
  • LANCOM LW-500

The LANCOM Management Cloud has already been updated with a patch. For the other products mentioned, LANCOM Systems will soon provide firmware updates with security patches (see following Knowledge base article).

Linux-based host systems hosting virtual products, e.g. LANCOM vRouter may also be affected. Here we recommend updating up as soon as possible with appropriate security patches.


CERT publication on vulnerabilities in Broadcom WLAN modules (CERT VU#166939)

On April 17, 2019 the US-CERT published a report on vulnerabilities in WLAN modules of the manufacturer Broadcom (CERT VU#166939). LANCOM wireless routers and access points are unaffected by these vulnerabilities because the devices do not use Broadcom WLAN modules.


CERT publication on the insecure storage of session cookies in VPN applications (CERT VU#192371)

The US-CERT reports in its April 11, 2019 publication (CERT VU#192371) about a vulnerability in VPN applications. The reason for this is the insecure or unencrypted storage of session cookies in the memory or log files on the endpoint of a VPN user. If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session. LANCOM products are not affected by this vulnerability because no session cookies are used.


Publication on vulnerabilities in WPA3-Personal™ („Dragonblood“) / CERT VU#871675

(Last update 15.04.2019)

On April 12, 2019, the US-CERT published a report on various vulnerabilities in the Wi-Fi security standard WPA3-Personal™ (CERT VU#871675). This report deals with a total of 6 vulnerabilities. The most critical vulnerability is the potential for side-channel attacks. This threat does not affect LANCOM, since potential attackers are unable to run unauthorized code on LANCOM devices. Consequently, no measures on the part of the users are necessary. The report also describes a vulnerability in the WPA2/WPA3 mixed mode. This is a vulnerability in the standard itself, and is not manufacturer-specific. The described behavior can ultimately only be resolved by further development of WPA3-Personal™. Until this is available, the vulnerability in the WPA2/WPA3 mixed mode can be neutralized by means of a workaround. We have described this in the following Knowledge Base article.

The other vulnerabilities that are described are not relevant for LANCOM users because the underlying optional features are not implemented in LANCOM devices.

The vulnerabilities were discovered by security researcher Mathy Vanhoef and described in his paper "Dragonblood: A Security Analysis of WPA3’s SAE Handshake".