TODO: Sicherheitskennzeichen von LANCOM 1784VA
LANCOM SystemsA security update is available for this product.
Known since: 10/09/2024
Information on the fixed vulnerability:
On 05.09.2024, the company SSD Secure Disclosure published information regarding a security vulnerability in LCOS, through which an attacker could trigger a “Heap Overflow” in the webinterface. This leads to an unexpected reboot of the device (DoS attack).
Communication between LCOS devices and the LMC is not affected by this behavior, as the LCOS devices initiate the communication.
LANCOM Systems has already fixed the security vulnerability and will make the error-corrected versions available to download until 13.09.2024 at the latest. LANCOM Systems strongly recommends to update the firmware on your devices.
Current Firmware versions:
LCOS 10.80 SU8
LCOS 10.72 SU10
LCOS 10.50 SU15
Information on the impact and rectification:
LANCOM Systems recommends to prohibit access to the router from the WAN or limit access to VPN connections (Option 1) or at least restrict access to specific networks and/or IP addresses (Option 2).
Until the error-corrected firmware has been uploaded to the router, the web server services should be deactivated for the WAN interface (Option 3). Additionally, the feature IPSec-over-HTTPS should be deactivated. Please note, that in doing so, VPN connections can only be established via IPSec and some Advanced VPN Client connections may not work anymore.
Download link of the manufacturer:
Label
Security label for LANCOM 1784VA
Label ID: IT-SIK-02009 , Duration: 17.05.2022 - 16.05.2026
For products bearing the IT Security Label, the manufacturer has undertaken to implement the security requirements of the BSI. Compliance with the requirements is monitored by the BSI on both an ad hoc and random basis. Nevertheless, vulnerabilities can occur in all IT products over time. Keep your digital products up to date by either carrying out security updates immediately or having them carried out automatically.
Manufacturer declaration LANCOM Systems for Broadband Router
With the manufacturer's declaration, the manufacturer has assured the Federal Office for Information Security of the following points:
The manufacturer has assured that the product complies with the Technical Guideline Broadband Routers and this has been tested.
The manufacturer has assured that the product subject of this application has been tested according to the requirements of the Technical Guideline for Broadband Routers BSI TR-03148 and that it fulfills all mandatory requirements of the aforementioned Technical Guideline at the time of application and maintains them for the terms duration. He further assured that the recommended requirements of the aforementioned Technical Guideline are also fulfilled at the time of application and maintained for the terms duration, unless a contrary declaration of justified deviations was submitted with this application.
The manufacturer undertakes to inform the BSI immediately of any known security vulnerabilities.
For the terms duration, the manufacturer has committed to inform the Federal Office for Information Security unsolicited if the properties of the service declared by the manufacturer change as soon as they become known to it, including (temporary) disruptions to the information security of the product and security vulnerabilities.
The manufacturer commits to fix any vulnerabilities known to it without delay and to inform the BSI accordingly.
For the duration of the release, the manufacturer has further assured that it will immediately eliminate any security vulnerabilities that become known to it with regard to the product and notify the Federal Office for Information Security of the status of the measures taken for this purpose.
Endakkordion
IT Security Properties
Security properties of Broadband Routers
Transparency
The manufacturer assures to provide transparent information regarding the security of the device. More about transparency...
Access authorization
The manufacturer ensures mechanisms (e.g. password, PIN or electronic key) which guarantee that only authorized persons can access the device. More about authorization...
Update
The manufacturer declares to provide security updates for the device immediately when specific security vulnerabilities are known. More about updates...
Encryption
The manufacturer assures that the device's communications, interactions, and some locally stored data (e.g. login credentials) are secured with encryption procedures in accordance with the Technical Guideline. More about encryption...
Data cleanup and data hygiene
The manufacturer states that the device includes mechanisms to erase data effectively so that it cannot be recovered easily, e.g. a reset button. More about data cleanup and data hygiene...
Endakkordion
Product
Information for LANCOM 1784VA
Manufacturer
- Manufacturer
Lancom Systems GmbH
A Rhode & Schwarz Company- Address
Adenauerstrasse 20 / B2
52146 Würselen
GERMANY- Web
- https://www.lancom-systems.de