-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 NME Security Advisory ID: NME-2021-001 Problem name: Lancom LCOS changing root password via CLI does not change root password for SNMPv3 Severity: Critical Product: LANCOM LCOS Vendor: LANCOM Systems GmbH Affected platforms: LCOS 10.40 to 10.42.0473-RU3 [1] with SNMPv3 enabled Vulnerability Type: : Incorrect Access Control CWE-284 Impact : An attacker can get access to the system with the previous root password Solution status: solution available Workarround: disable SNMPv3 for root user, restrict access stations Manufacturer Notification: 2021-03-12 with LCSUP-92623, 2021-06-01 Email Solution Date: fixed Public Disclosure: 2021-10-04 CVE Reference: CVE-2021-33903 Author of Advisory: Thomas Stimper, neue medien edv-systeme GmbH ========================================================================== Overview: LANCOM LCOS is used in nearly all LANCOM Routers, VPN Gateways and WLAN AccessPoints. Manufacturer information [2] "LANCOM VPN routers and gateways ensure high bandwidths, secure communication, and confidential data exchange in professional networks." In the described situation an attacker can authenticate with the previous root password via SNMPv3 and access senditive data and do actions. ========================================================================== Vulnerability Details: Changing root password at CLI does not change root password for SNMPv3 ========================================================================== Reproducing the vulnerability: Changing root password at CLI does not change root password for SNMPv3 After changing the root password on the device CLI its still possible to access and change data and do actions with the old root password using SNMPv3 - - connect to CLI of the router via ssh - - passwd -n newpassword oldpassword - - connect to the router via SNMPv3 using LANmonitor or other SNMPv3 tools with the old root password - - access data or do actions using the old root password - - Access the router using LANconfig - - Change something like a comment - - Write changes to the router - - after writing something new to the router using LANconfig the SNMPv3 now using the old root password ins not possible anymore So there is a difference beetween changing something in LANconfig and changing something in CLI especially regarding the root password ========================================================================== Exclusion: We did not test older LCOS versions and we did not test newer release candidates. ========================================================================== Assumption: We expect to see this issue in all LCOS versions since SNMPv3 was included. Lancom confirmed that this issue started with firmware v10.40 ========================================================================== Solution: fixed with firmware v10.42.0611-ru4 ========================================================================== Workaround: - - disable SNMPv3 access for root until further investigation - - use separate SNMPv3 user, restrict SNMPv3 access to specific stations ========================================================================== Disclosure Timeline: 2021-03-12: Vulnerability discovered 2021-03-12: Vulnerability reported to manufacturer LCSUP-92623 2021-06-01: Confirmed by manufacturer 2021-07-29: Fixed version released by manufacturer 2021-10-04: Advisory published by neue medien edv-systeme GmbH ========================================================================== References: [1] Release Notes https://www.lancom-systems.de/download/documentation /software/?id=1c1d2293155b86bb75ce1825646da403& file=/RN_LCOS-1042-RU3_EN.pdf [2] Product Website for LANCOM Routers and VPN Gateways https://www.lancom-systems.de/produkte/router-vpn-gateways ========================================================================== Revision notes: 2021-06-06: First draft 2021-09-28: Ready for publishing ========================================================================== Credits: This security vulnerability was found by Thomas Stimper, neue medien edv-systeme GmbH E-Mail: tstimper@nmedv.de ========================================================================== Copyright: Creative Commons - Attribution 4.0 International URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEE+Y44vYypIFWFL6ulz0H0761voN0FAmFaq+IACgkQz0H0761v oN1IJQv+NKQzzFQsfprVhS/ZThlFC8cu6HzAQC2CKilqCBY+0j09Vd1jVpR3HAH9 0HQ3jhSMyikNESK/P+ZSlbHRjsQkND4bhqD/qBNHrlLZz9UOVGLALnI2fp/m3r50 poYZSVXFHcuR4LdrB8Bw5cIaTdnv7Ho8ojq1Ui8uBHgsRur1ARVD8Qa4PHQsGwbS wA6q6/4GGpnYP1XgD0k2g5GHu5PAmF6YtNZ6P730IEKYuWAGqW0EscSExZuhq3jG 9iOPRDdye1PSzotcNaRyUE1J6rZAy7RAmE/QORNy2II9qIER8yMRMevUCB8MGvVb atB5qJiLsS8fR9b6U2gJnvIAVrSxJ115BtTUaQpwFU4ARIVybdSknIF6yLvZSlS8 5bHBmNxpoOFdUVJaIqOBULM6qPKE7ZovLuBy7vqh6ZN/hS3NRoZiI57sttdoy9+5 fxfdgaCvdcVYUwGbdFa32wlp+2FuKuR9F+pIjgWAfYac44dztqIPOYj0TNufXSvD 7Hncu6lu =CAX5 -----END PGP SIGNATURE-----