The media today reported several vulnerabilities that could cause Linux-based systems to crash (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479). LANCOM Systems classifies the risk of these vulnerabilities with LANCOM products as low.
The following LANCOM products may be affected:
- LANCOM Unified Firewalls
- LANCOM LW-500
The LANCOM Management Cloud has already been updated with a patch.
For the other products mentioned, LANCOM Systems will soon provide firmware updates with security patches (see following Knowledge base article
Linux-based host systems hosting virtual products, e.g. LANCOM vRouter may also be affected. Here we recommend updating up as soon as possible with appropriate security patches.
On April 17, 2019 the US-CERT published a report on vulnerabilities in WLAN modules of the manufacturer Broadcom (CERT VU#166939).
LANCOM wireless routers and access points are unaffected by these vulnerabilities because the devices do not use Broadcom WLAN modules.
The US-CERT reports in its April 11, 2019 publication (CERT VU#192371) about a vulnerability in VPN applications. The reason for this is the insecure or unencrypted storage of session cookies in the memory or log files on the endpoint of a VPN user.
If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.
LANCOM products are not affected by this vulnerability because no session cookies are used.
(Last update 15.04.2019)
On April 12, 2019, the US-CERT published a report on various vulnerabilities in the Wi-Fi security standard WPA3-Personal™ (CERT VU#871675). This report deals with a total of 6 vulnerabilities.
The most critical vulnerability is the potential for side-channel attacks. This threat does not affect LANCOM, since potential attackers are unable to run unauthorized code on LANCOM devices. Consequently, no measures on the part of the users are necessary.
The report also describes a vulnerability in the WPA2/WPA3 mixed mode. This is a vulnerability in the standard itself, and is not manufacturer-specific. The described behavior can ultimately only be resolved by further development of WPA3-Personal™.
Until this is available, the vulnerability in the WPA2/WPA3 mixed mode can be neutralized by means of a workaround. We have described this in the following Knowledge Base article.
The other vulnerabilities that are described are not relevant for LANCOM users because the underlying optional features are not implemented in LANCOM devices.
The vulnerabilities were discovered by security researcher Mathy Vanhoef and described in his paper "Dragonblood: A Security Analysis of WPA3’s SAE Handshake".
On October 5, 2018, the media reported about the vulnerability of network components and technologies over unencrypted HTTP Web interfaces in conjunction with web browsers that store login information (see betanews article).
The WEBconfig interface with which LANCOM devices can be configured should always be opened via the encrypted HTTPS protocol. When opening WEBconfig via HTTP, you will receive a corresponding warning message and a link to the HTTPS variant when logging on. We also recommend that you never save the login data in the web browsers.
As of LCOS 10.20 you can configure automatic redirection of WEBconfig access to HTTPS. For information, see this Knowledge Base document.
(Last update 17.08.2018)
On August 14, 2018, the media reported a vulnerability named “Foreshadow”, which is particularly critical for cloud servers.
LANCOM devices are not affected by this vulnerability because foreign code cannot be run on LANCOM products.
Operators of virtual server environments such as vmWare, which support the operation of the LANCOM vRouter, LMC private, LSM and LSR, among others, are strongly recommend to implement the relevant manufacturer updates as soon as possible. We provide an article with recommendations for action in our Knowledge Base.
Due to importance of security implications, LANCOM Systems updates their systems as soon possible once manufacturer patches become available.
On August 7, 2018, the first media reports appeared about a seemingly new vulnerability in the WPA2 encryption of Wi-Fi networks . However, the method described does not address a new vulnerability, it merely represents a simplified attack on an already known WPA2 vulnerability.
We therefore recommend that all customers who operate LANCOM devices with WPA2-PSK use passwords that are as complex as possible. LANCOM installations with WPA2-Enterprise are NOT affected by this attack.
Furthermore, we are currently preparing a new release that contains the new Wi-Fi security standard WPA3. This will be available later this summer with the release of LCOS 10.20.