The media are currently reporting a Linux security vulnerability in the "sudo" command (CVE-2021-3156), which enables users with restricted rights to extend existing rights in an uncontrolled manner and thus access unauthorized functions.
The following LCOS operating systems are not affected by the reported security vulnerability:
• LCOS LX
• LCOS SX
A user with restricted rights is not provided in LCOS FX, so the security vulnerability has no security-relevant effects here. LANCOM Systems therefore does not rate this as critical for LCOS FX, but will nevertheless publish a corresponding patch in the upcoming firmware version 10.5.3.
The LANCOM Management Cloud (LMC) has already been given a security patch. With all other virtual LANCOM products (e.g. LANCOM vRouter) and private LMC instances, the host systems are affected, not the LANCOM products themselves. We recommend that you secure the systems with appropriate patches.
The US-CERT published a report on several vulnerabilities in the "Dnsmasq" server, which can be used in Linux distributions as a combined DNS and DHCP server.
The vulnerabilities found could enable an attacker to damage the memory on a target device and to carry out so-called cache poisoning attacks against the target environment.
A detailed list and description of all vulnerabilities can be found on the US-CERT website (see CERT VU#434904).
LANCOM devices are not affected by the reported weaknesses as the "Dnsmasq" server is not used.
The company FORESCOUT published a report about vulnerablities in several open source TCP stacks. This is also known as "Amnesia:33"
The following four vulnerabilities impact different TCP stacks and allow the execution of malicious code and are therefore particularly critical.
• CVE-2020-24336 (CVSS-Score 9.8/"Critical", RCE, uIP)
• CVE-2020-24338 (CVSS-Score 9.8/"Critical", RCE, picoTP)
• CVE-2020-25111 (CVSS-Score 9.8/"Critical", RCE, Nut/Net)
• CVE-2020-25112 (CVSS-Score 8.1/"High", RCE, uIP)
LANCOM devices don't use one of these TCP stacks and are therefore not affected.
LANCOM Systems has released the following LCOS SX security updates for the fully managed access switches of the GS-23xx series and GS-3xxx series.
- LCOS SX 3.32 SU6 for the switches of the GS-23xx series
- LCOS SX 4.00 SU3 for the switches of the GS-3xxx series
The update fixes a behavior in which special user inputs via the web interface were not correctly validated. This provoked an abrupt restart of the device.
The security updates are now available in the download area of the LANCOM website.
The manufacturer Qualcomm reports in a current security bulletin about WLAN chips that are affected by the "Kr00k" security vulnerability (see also CVE-2020-3702).
After a detailed examination it was found that LANCOM products are still not affected by this security vulnerability.
The media is currently reporting on a Linux vulnerability in OpenSSH 8.3p1 (CVE-2020-15778 that could potentially result in denial of service (DoS) attacks and malicious code execution remotely.
The following LCOS operating systems in which OpenSSH 8.3p1 is not used are not affected by the reported vulnerability:
• LCOS LX
• LCOS FX
• LCOS SX up to version 4.x
OpenSSH 8.3p1 is used in the LCOS SX version 5.00, after extensive testing there is a small residual risk. LANCOM Systems is expected to release a patch as part of the next release by the end of August 2020.
The US-CERT published a report about a vulnerability in a manufacturer-specific TCP stack, which is also known as "Ripple20" (CERT VU#257161).
LANCOM devices and the LANCOM Wireless ePaper solution are not affected by this vulnerability because the affected TCP stack is not used.
LANCOM R&S®Unified Firewalls offer the necessary protection against this vulnerability, because they can detect and block the Ripple20 attack packages. Further information can be found in the following article on our website.
The US-CERT published reports on vulnerabilities in the Bluetooth pairing mechanism (CERT VU#647177 and CERT VU#534195).
LANCOM devices are not affected by these vulnerabilities.
A German IT security company reported today on the vulnerability-lab.com website about a vulnerability in the LANCOM Public Spot. All LANCOM devices with an activated Public Spot function are affected.
The following security updates are available for all LCOS versions with the latest software lifecycle management:
• LCOS 10.12 SU15
• LCOS 10.20 SU10
• LCOS 10.32 RU9
The security updates are now available in the download area of the LANCOM website. LANCOM recommends that operators of a public spot install the security updates immediately.
The WiFi vulnerability "Kr00k" is currently being reported in the media. This is a problem with WiFi chips from Broadcom and Cypress, through which an attacker is able to decrypt WLAN data transmission encrypted by WPA2 (also see CVE-2019-15126).
LANCOM products are not affected by this vulnerability because the WiFi chips from the manufacturers mentioned are not used.
LANCOM actively and continuously checks its products for potential vulnerabilities. Security updates are an important tool for realizing our security strategy.
The security update LCOS SX 3.32 SU3 fixes the behaviour that the random generator for generating SSH keys did not generate different host keys sufficiently.
How to ensure that sufficient host keys are generated after the firmware update can be read in the following knowledgebase article. The security update is available now from the download area of the LANCOM website.
For continuous security improvement when using IPv6, LANCOM Systems has provided security updates for IPv6 routers.
If you do not use IPv6 or you have no VPN connection between IPv6 networks, the update isn’t mandatory. LANCOM Systems generally recommends that you keep your devices up-to-date with the latest firmware.
LANCOM Systems has released the following LCOS security updates:
• LCOS 10.32 SU3
• LCOS 10.20 SU9
• LCOS 10.12 SU14
• LCOS 9.24 SU12
• LCOS 9.00 SU8
• LCOS 8.84 SU11
The security updates are available now from the download area of the LANCOM website.
The media today reported several vulnerabilities that could cause Linux-based systems to crash (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479). LANCOM Systems classifies the risk of these vulnerabilities with LANCOM products as low.
The following LANCOM products may be affected:
- LANCOM Unified Firewalls
- LANCOM LW-500
The LANCOM Management Cloud has already been updated with a patch.
For the other products mentioned, LANCOM Systems will soon provide firmware updates with security patches (see following Knowledge base article
Linux-based host systems hosting virtual products, e.g. LANCOM vRouter may also be affected. Here we recommend updating up as soon as possible with appropriate security patches.
On April 17, 2019 the US-CERT published a report on vulnerabilities in WLAN modules of the manufacturer Broadcom (CERT VU#166939).
LANCOM wireless routers and access points are unaffected by these vulnerabilities because the devices do not use Broadcom WLAN modules.
The US-CERT reports in its April 11, 2019 publication (CERT VU#192371) about a vulnerability in VPN applications. The reason for this is the insecure or unencrypted storage of session cookies in the memory or log files on the endpoint of a VPN user.
If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.
LANCOM products are not affected by this vulnerability because no session cookies are used.
(Last update 15.04.2019)
On April 12, 2019, the US-CERT published a report on various vulnerabilities in the Wi-Fi security standard WPA3-Personal™ (CERT VU#871675). This report deals with a total of 6 vulnerabilities.
The most critical vulnerability is the potential for side-channel attacks. This threat does not affect LANCOM, since potential attackers are unable to run unauthorized code on LANCOM devices. Consequently, no measures on the part of the users are necessary.
The report also describes a vulnerability in the WPA2/WPA3 mixed mode. This is a vulnerability in the standard itself, and is not manufacturer-specific. The described behavior can ultimately only be resolved by further development of WPA3-Personal™.
Until this is available, the vulnerability in the WPA2/WPA3 mixed mode can be neutralized by means of a workaround. We have described this in the following Knowledge Base article.
The other vulnerabilities that are described are not relevant for LANCOM users because the underlying optional features are not implemented in LANCOM devices.
The vulnerabilities were discovered by security researcher Mathy Vanhoef and described in his paper "Dragonblood: A Security Analysis of WPA3’s SAE Handshake".
On October 5, 2018, the media reported about the vulnerability of network components and technologies over unencrypted HTTP Web interfaces in conjunction with web browsers that store login information (see betanews article).
The WEBconfig interface with which LANCOM devices can be configured should always be opened via the encrypted HTTPS protocol. When opening WEBconfig via HTTP, you will receive a corresponding warning message and a link to the HTTPS variant when logging on. We also recommend that you never save the login data in the web browsers.
As of LCOS 10.20 you can configure automatic redirection of WEBconfig access to HTTPS. For information, see this Knowledge Base document.