General security information

09/05/18

Configuration of LANCOM devices with WEBconfig via unencrypted HTTP protocol

On October 5, 2018, the media reported about the vulnerability of network components and technologies over unencrypted HTTP Web interfaces in conjunction with web browsers that store login information (see betanews article).

 

The WEBconfig interface with which LANCOM devices can be configured should always be opened via the encrypted HTTPS protocol. When opening WEBconfig via HTTP, you will receive a corresponding warning message and a link to the HTTPS variant when logging on. We also recommend that you never save the login data in the web browsers.

 

As of LCOS 10.20 you can configure automatic redirection of WEBconfig access to HTTPS. For information, see this Knowledge Base document.

08/15/18

Reports about the security loophole “Foreshadow”

(Last update 17.08.2018)

On August 14, 2018, the media reported a vulnerability named “Foreshadow”, which is particularly critical for cloud servers.

 

LANCOM devices are not affected by this vulnerability because foreign code cannot be run on LANCOM products.

 

Operators of virtual server environments such as vmWare, which support the operation of the LANCOM vRouter, LMC private, LSM and LSR, among others, are strongly recommend to implement the relevant manufacturer updates as soon as possible. We provide an article with recommendations for action in our Knowledge Base.

 

Due to importance of security implications, LANCOM Systems updates their systems as soon possible once manufacturer patches become available.

08/09/18

New reports of vulnerability in WPA2 encryption

On August 7, 2018, the first media reports appeared about a seemingly new vulnerability in the WPA2 encryption of Wi-Fi networks . However, the method described does not address a new vulnerability, it merely represents a simplified attack on an already known WPA2 vulnerability.

 

We therefore recommend that all customers who operate LANCOM devices with WPA2-PSK use passwords that are as complex as possible. LANCOM installations with WPA2-Enterprise are NOT affected by this attack.

 

Furthermore, we are currently preparing a new release that contains the new Wi-Fi security standard WPA3. This will be available later this summer with the release of LCOS 10.20.

05/25/18

VPNFilter: LANCOM devices are protected against malicious software

On Mai, 3rd 2018 the media published information reporting an infection of at least 500,000 routers and storage devices with a malicious software in at least 54 countries.

 

According to our current comprehensive analysis, LANCOM devices are not affected as LANCOM components use their own operating system (LCOS).

 

We recommend to update the software of Linux-based host systems for virtual machines, that are are used for the LANCOM vRouter and can be accessed directly from the Internet.

 

References (external links):

Reuters

Cisco-Talos

01/08/18

Spectre and Meltdown: LANCOM devices are not affected

(Last update 08.01.2018)

On January 4th, 2018, the media reported a serious security vulnerability in processors of various manufacturers, through which attackers can read out sensitive data.

 

LANCOM devices are not affected by this vulnerability because no foreign code can be executed on LANCOM products.

 

For operators of virtual server environments, e.g. vmWare on which LANCOM vRouters, LMC private, LSM and LSR can be operated, we recommend to update the environment with the relevant manufacturer updates.

 

Due to its high security relevance, LANCOM Systems immediately brings the LANCOM Management Cloud (LMC) systems up to date as soon as a manufacturer patch is available. This process has already started on 05.01.2018 and currently all available patches have been recorded.