Security information on updates

Fixed:

• Possible XSS attack via manipulated device names in the Mesh view fixed.

Instructions: Updating FRITZ!OS via online update.

Fixed:

• A possible open redirect attack that required a valid login has been fixed.
• Restart of FRITZ!Box 6690 Cable when using the network measurement function (iperf) and at high capacity in certain configurations fixed. We would like to thank C. Kohlschütter for reporting this.

Instructions: Updating FRITZ!OS via online update.

Fixed:

• Possible DoS attack via the FTP service with multiple TLS negotiations fixed.
• TLS implementation migrated to OpenSSL 3.0.

Instructions: Updating FRITZ!OS via online update.

Fixed:

• Necessary stability and security update.

  Notes:The update is available for all FRITZ!Box models for which it is required, with a different version number if applicable. The installation is performed automatically. Users with changed update settings follow the instructions for updating FRITZ!OS via online update.

Instructions: Updating FRITZ!OS via online update.

Fixed:

• Kernel hardening measures expanded.
• Support for DHE and CBC cipher suites was removed for TLS connections to FRITZ!Box server services.

Instructions: Updating FRITZ!OS via online update.

Fixed:

• DNS service cannot be started in certain operating modes. We would like to thank A. Traud for reporting this.

Instructions: Updating FRITZ!OS via online update.

Fixed:

• Weaknesses in dealing with incoming fragmented packets and aggregated MPDUs (A-MPDU) ('FragAttacks')

Instructions: Updating FRITZ!OS via online update.

Fixed:

• During the analysis of a prepared bootloader parameter, the execution of commands is prevented. We would like to thank P. Hämmerlein for reporting this.
• The media server delivers only media files.
• Hardening measures expanded.
• TR-069 root certificate store updated.
• Support removed for TLS 1.1 to FRITZ!Box server services. Now TLS 1.3 and the ChaCha20-Poly1305 cipher are supported.

Instructions: Updating FRITZ!OS via online update.

Fixed:

• DNS rebinding protection extended to include special address forms. We would like to thank RedTeam Pentesting GmbH for reporting this.

  Note:For the FRITZ!Box 6590 Cable and FRITZ!Box 6490 Cable, this issue was already resolved in FRITZ!OS 7.20.

Instructions: Updating FRITZ!OS via online update.

Fixed:

• Despite using protected management frames (PMF), wireless clients could be logged out by manipulated Wi-Fi packets (CVE-2019-16275).
• The challenge-response method for logging in with the FRITZ!Box user interface now uses the PBKDF2 method.
• Support removed for TLS 1.0 to FRITZ!Box server services.

Instructions: Updating FRITZ!OS via online update.

Fixed:

• After a Wi-Fi connection is cleared, any remaining packets from the sending buffer are no longer sent with weak encryption (CVE-2019-15126)

  Note:Only relevant for the FRITZ!Box 7582 and FRITZ!Box 7581 models.

Instructions: Updating FRITZ!OS via online update.

Fixed:

• Possible restart (CVE-2019-11477) or unnecessarily high consumption of system resources when receiving certain SACK messages (CVE-2019-11478 and CVE-2019-11479) prevented.
• The email password for sending push service mails no longer appears in the process list if support information is created at the same time as push mail is sent. We would like to thank D. Lücking for reporting this.

Instructions: Updating FRITZ!OS via online update.

Fixed:

• Force state-of-the-art TLS procedures; support of TLS 1.0 for FRITZ!Box in the server role removed.
• The Diffie-Hellman key exchange in the context of TLS now uses a 2048-bit DH parameter.
• Hardening of the system by using Stack Smashing Protection (SSP), Position-Independent Executable (PIE/ASLR) and RELocation Read-Only (RELRO).

Instructions: Updating FRITZ!OS via online update.

Fixed:

• WPAD filter added. This filter blocks the automatic proxy detection of Microsoft Windows (WPAD, Web Proxy Auto-Discovery Protocol).

Instructions: Updating FRITZ!OS via online update.

Fixed:

• Further security-relevant settings secured with additional confirmation.
• Very long input values in password fields could cause a crash.
• Update for libpng (various corrections, including for CVE-2015-8540 and CVE-2016-10087)
• Update for zlib (various corrections, including for CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)
• Host header validation for HTTP(s) requests as additional DNS rebind protection. We would like to thank B. Blechschmidt for the suggestion.
• Wi-Fi network keys are no longer transmitted as GET parameters when being set. We would like to thank Dr K. Andrä for reporting this.
• Possible RCE in factory settings state fixed using a prepared USB stick. We would like to thank T. Barabosch from the Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE).
• Labels for password fields set correctly; as a result they're no longer suggested by the browser's auto-complete. We would like to thank C. Knupfer for reporting this.
• Various fixes in Linux USB drivers, including for CVE-2017-17558, CVE-2017-16535, CVE-2017-16525, CVE-2017-16534, CVE-2017-16531. We would like to thank the Google syzkaller team.

Instructions: Updating FRITZ!OS via online update.

Fixed:

• Possible information leakage in PPPoE padding bytes fixed. We would like to thank the Deutsche Telekom Cyber Emergency Response Team (CERT) for reporting this; special thanks go to C. Kagerhuber and F. Krenn (DTC-A-20170323-001).
• Unwanted changes to the BPJM list via NAS access prevented. We would like to thank P. Hämmerlein for reporting this.
• Possibility of traffic amplification in VPN/IKEv1 service prevented.
• File renaming in FRITZ!NAS allows code to be executed in the browser (XSS). We would like to thank T. Roth for reporting this.
• Under certain conditions in external links, a valid SID for Web UI access was passed on to the next server. We would like to thank B. Blechschmidt for reporting this.
• Enforce DNS rebind protection for the global IPv6 address of the FRITZ!Box as well. We would like to thank B. Blechschmidt for reporting this.
• Setting up port forwarding via UPnP, PCP and TR-064 is only possible with the home network device that sets up the port forwarding.
• Additional security-relevant settings have been added to the additional confirmation (loading of factory settings, changing of DNS server settings, downloading of extended support information).
• VPN vulnerability fixed. We would like to thank M. Kraus for reporting this.

Instructions: Updating FRITZ!OS via online update.

Fixed:

• Configuration of an IP phone requires that assigned usernames have at least 8 characters
• The option for IP phones to allow registration from the internet is disabled after the update. We recommend the encrypted connection of IP phones from other locations using VPN
• Only relevant for FRITZ!Box models with FRITZ!OS 6.80 and 6.81: In FRITZ!OS 6.80/81, it was possible to cause a memory overflow with a specifically prepared data packet and the concurrence or multiple conditions. This has been fixed with FRITZ!OS 6.83.
• The execution of commands via specifically prepared parameters in the TR-064 context is now prevented. TR-064 commands can only be executed if the device password is known. We would like to thank P. Hämmerlein for reporting this.

Instructions: Updating FRITZ!OS via online update.

Fixed:

• Failed connections for FTP, SMB and SIP extensions are displayed in the event log.
• The password for registering an IP phone on the FRITZ!Box must have at least eight characters. IP phones with a shorter password will be disabled with this update.
• The FTPS port is chosen randomly to improve security.
• Access via FTPS additionally supports ECDHE ciphers.
• The time of the last FRITZ!OS update is displayed in the user interface.
• Registration with the FRITZ!Box user interface is valid for 20 minutes.
Increased security of FRITZ!Box's own certificate through signature with SHA 256.
• Restart of the FRITZ!Box is prevented by specifically prepared data packages. We would like to thank S. Deseke for reporting this.
• Temporary impairment of access to the user interface via certain access paths prevented by prepared queries. We would like to thank P. Hämmerlein for reporting this.
• During manual loading of a prepared tar file, the execution of commands is prevented. Loading a tar file requires local and physical access to the FRITZ!Box. We would like to thank P. Hämmerlein for reporting this.
• Security improvements during login on the FTP server prevent a trial of different passwords through the session ID. We would like to thank P. Hämmerlein for reporting this.
• The verification of a header was improved by loading firmware updates. We would like to thank P. Hämmerlein for reporting this.
• If a prepared parameter is being used in the context of push mail, the execution of commands is prevented. Changes to the push mail settings require the FRITZ!Box password. We would like to thank P. Hämmerlein for reporting this.

Instructions: Updating FRITZ!OS via online update.

Fixed:

• In the configuration of MyFRITZ!, the password defined for the MyFRITZ!Net service must be different from the one for access to the FRITZ!Box
• Enforce secure TLS, support for SSLv3 also removed for all FRITZ!Box client roles (for instance, for TR-069 or WebDAV online storage)
• Prevent possibility of DNS poisoning via DHCP host name. We would like to thank A. Vogt for reporting this.

Instructions: Updating FRITZ!OS via online update.

Fixed:

• Obsolete RC4 encryption method no longer supported for TLS connections (e.g. https, ftps)
• Obsolete SSLv3 protocol no longer supported for TLS connections (e.g. https, ftps)
• During an attempt to manually install a prepared firmware file, the execution of commands is prevented. Installing a firmware file is only possible after previously logging in to the FRITZ!Box interface. We would like to thank RedTeam GmbH for reporting this.
• Possible command injection attack from the LAN or via CSRF fixed. Only relevant for models FRITZ!Box 7490, 7412, 736x (SL), 7330 (SL), 7320, 7312, 7272, 3490, 3390, 3370 and 3272. We would like to thank RedTeam GmbH for reporting this.
• Possible HTML injection attack when using the 'push mail' function fixed. We would like to thank D. Schliebner for reporting this.

Instructions: Updating FRITZ!OS via online update.

Fixed:

• During manual loading of a prepared backup file for settings, the execution of commands is prevented. Uploading a backup file for settings requires the device password.

  Note:Fixed with FRITZ!OS 6.23 (FRITZ!Box 7490, FRITZ!Box 7390), FRITZ!OS 6.20 (further models).

Instructions: Updating FRITZ!OS via online update.

Fixed:

• During the manual upload of a prepared firmware file, the signature check can no longer be avoided. Uploading of a firmware file requires the device password. Only relevant for FRITZ!Box 6810 LTE with FRITZ!OS 5.22 or higher, FRITZ!Box 6840 LTE with FRITZ!OS 5.23 or higher, and other models with FRITZ!OS 5.50 or higher.

  Note:Fixed with FRITZ!OS 6.05 (FRITZ!Box 7270, FRITZ!Box 7270 V3, FRITZ!Box 7240), FRITZ!OS 6.20 (further models).

Instructions: Updating FRITZ!OS via online update.