|
Security improvements FRITZ!OS 7.57
Description: - Necessary stability and security update.
Fix:
FRITZ!OS 7.57
Please note: The update is available for all models for which it is required, possibly under a different version number.
Solution:
Installation is automatic on all devices. Users with changed update settings follow the service link. |
|
Security improvements FRITZ!OS 7.50
Description: - Expanded kernel hardening measures.
- Support for DHE and CBC cipher suites was removed for TLS connections to FRITZ!Box server services.
- Additional points will be published later.
Fix:
FRITZ!OS 7.50
Solution:
Please install the latest version of FRITZ!OS on your FRITZ!Box. |
|
Security improvements FRITZ!OS 7.29
Description: - Do not start the DNS service in certain operating modes. We would like to thank A. Traud for reporting this.
Fix:
FRITZ!OS 7.29
Solution:
Please install the latest version of FRITZ!OS on your FRITZ!Box. |
|
Security improvements FRITZ!OS 7.27
Description: - Vulnerabilities in the processing of incoming fragmented frames and aggregated MPDUs (A-MPDU) fixed ("Fragatttacks").
Fix:
FRITZ!OS 7.27
Solution:
Please install the current FRITZ!OS version on your FRITZ!Box. |
|
Security improvements FRITZ!OS 7.25
Description: - During the evaluation of a specifically prepared bootloader parameter, a command execution is prevented. We would like to thank P. Hämmerlein for reporting this.
- The media server now only delivers media files.
- Expanded hardening measures.
- Updated TR-069 root certificate store.
- Support removed for TLS 1.1 to FRITZ!Box server services. Newly supported are TLS 1.3 and the ChaCha20-Poly1305 cipher.
Fix:
FRITZ!OS 7.25
Solution:
Please install the latest version of FRITZ!OS on your FRITZ!Box. |
|
Security improvements FRITZ!OS 7.21
Description: - DNS rebinding protection extended to include special address forms. We would like to thank RedTeam Pentesting GmbH for reporting this.
Fix:
FRITZ!OS 7.21
Please note: For the FRITZ!Box 6490 and FRITZ!Box 6590, this issue has already been resolved in FRITZ!OS 7.20.
Solution:
Please install the current FRITZ!OS version on your FRITZ!Box. |
|
Security improvements FRITZ!OS 7.20
Description: - Despite using protected management frames (PMF), wireless clients could be logged out by manipulated Wi-Fi packets (CVE-2019-16275).
- The challenge-response method for logging in to the FRITZ!Box user interface now uses the PBKDF2 method.
- Support removed for TLS 1.0 to FRITZ!Box server services.
Fix:
FRITZ!OS 7.20
Solution:
Please install the latest version of FRITZ!OS on your FRITZ!Box. |
|
Security improvements FRITZ!OS 7.13
Please note: Only relevant for FRITZ!Box 7582 and FRITZ!Box 7581
Description: - After a Wi-Fi connection is disconnected, any packets still in the transmit buffer are no longer sent with weak encryption (CVE-2019-15126)
Fix:
FRITZ!OS 7.13
Solution:
Please install the current FRITZ!OS version on your FRITZ!Box. |
|
Security improvements FRITZ!OS 7.12
Description: - Possible restart (CVE-2019-11477) or unnecessarily high consumption of system resources when receiving certain SACK messages (CVE-2019-11478 and CVE-2019-11479) prevented.
- The email password for sending push service mails no longer appears in the process list if support data is created at the same time as push service mail is sent. We would like to thank D. Lücking for reporting this.
Fix;
FRITZ!OS 7.12
Solution:
Please install the latest version of FRITZ!OS on your FRITZ!Box. |
|
Security improvements FRITZ!OS 7.10
Description: - Modern TLS procedures force support of TLS 1.0 for FRITZ!Box removed in the server role.
- The Diffie-Hellman key exchange in the context of TLS now uses a 2048 bit DH parameter.
- Hardening of the system by using Stack Smashing Protection (SSP), Position-Independent Executable (PIE/ASLR) and RELocation Read-Only (RELRO).
Fix:
FRITZ!OS 7.10
Solution:
Please install the latest version of FRITZ!OS on your FRITZ!Box. |
12.09.2018 |
Security improvements FRITZ!OS 7.01
Description - WPAD filter added. This filter blocks the automatic proxy detection in Microsoft Windows (WPAD, Web Proxy Auto-Discovery Protocol).
Fix
FRITZ!OS 7.01
Solution
Please install the latest version of FRITZ!OS on your FRITZ!Box. |
|
Security improvements FRITZ!OS 7.00
Description - Further security-relevant settings secured with additional confirmation.
- Very long input values in password fields could cause a crash.
- Update for libpng (various corrections, including for CVE-2015-8540 and CVE-2016-10087).
- Update for zlib (various corrections, including CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843).
- Host header validation for HTTP(s) requests as additional DNS rebind protection. We would like to thank B. Blechschmidt for the suggestion.
- Wi-Fi network keys are no longer transmitted as GET parameters when being set. We would like to thank Dr K. Andrä for reporting this.
- Possible RCE in factory settings state fixed using a prepared USB stick. We would like to thank T. Barabosch from the Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE).
- Labels for password fields set correctly; as a result they're no longer suggested by the browser's auto-complete. We would like to thank C. Knupfer for reporting this.
- Various fixes in Linux USB drivers, including for CVE-2017-17558, CVE-2017-16535, CVE-2017-16525, CVE-2017-16534, CVE-2017-16531. Thank you to the Google syzkaller team.
Resolved with
FRITZ!OS 7.00
Solution
Please install the latest version of FRITZ!OS on your FRITZ!Box. |
|
Security improvements FRITZ!OS 6.90
Description - Possible information leakage in PPPoE padding bytes fixed. We would like to thank the Deutsche Telekom CERT for reporting this; special thanks go to C. Kagerhuber and F. Krenn (DTC-A-20170323-001).
- Unwanted changes to the BPJM list via NAS access prevented. We would like to thank P. Hämmerlein for reporting this.
- Possibility of traffic amplification in VPN/IKEv1 service prevented.
- File renaming in FRITZ!NAS allows code to be executed in the browser (XSS). We would like to thank T. Roth for reporting this.
- Under certain conditions in external links, a valid SID for Web UI access was passed on to the next server. We would like to thank B. Blechschmidt for reporting this.
- Enforcing DNS rebind protection for the global IPv6 address of the FRITZ!Box. We would like to thank B. Blechschmidt for reporting this.
- Setting up port forwarding via UPnP, PCP and TR-064 is only possible with the home network device that sets up the port forwarding.
- The additional confirmation has been extended to include other safety-relevant settings:
- Restoring factory settings
- Changing the DNS server settings
- Downloading the extended support data
- VPN vulnerability fixed. We would like to thank M. Kraus for reporting this.
Fixed with
FRITZ!OS 6.90
Solution
Please install the latest version of FRITZ!OS on your FRITZ!Box. |
|
Security improvements FRITZ!OS 6.83
First off, we would like to thank P. Hämmerlein and one other user [1] for submitting their messages.
Description- Setting up IP phones requires at least 8 characters for the username.
- Connecting IP phones over the Internet is deactivated after installing the update. We recommend to use VPN to connect IP phones from external locations.
- Under certain circumstances and with a specifically prepared data package it could have been possible to cause a buffer overflow in products using FRITZ!OS 6.80. This was solved with FRITZ!OS 6.83 [1].
- The execution of commands through specifically prepared parameters in the TR-064 context is now disabled. To perform TR-064 commands required knowledge of the device's password. Thanks to P. Hämmerlein for reporting this.
Resolved with
FRITZ!OS 6.83
Note
[1] Only models with FRITZ!OS 6.80 were affected
Solution
Please install the latest version of FRITZ!OS on your FRITZ!Box.
|
|
Security improvements FRITZ!OS 6.80
Description - Failed connections for FTP, SMB and SIP extensions are displayed in the event log.
- Password for registering an IP telephone with the FRITZ!Box must have at least eight characters. IP telephones with a shorter password will be disabled with this update.
- The FTPS port is chosen randomly to improve security.
- Access via FTPS supports ECDHE ciphers.
- The time of the last FRITZ!OS update is displayed in the user interface.
- Registration with the FRITZ!Box user interface is valid for 20 min.
- Increased security of FRITZ!Box's own certificate through signature with SHA 256.
- Restart of the FRITZ!Box is prevented by specifically prepared data packages. We would like to thank S. Deseke for the notification.
- Temporary impairment of access to the user interface via certain access paths prevented by prepared queries. We would like to thank P. Hämmerlein for the notification.
- If you're uploading a prepared tar file, the execution of commands is prevented. Loading a tar file requires local and physical access to the FRITZ!Box. We would like to thank P. Hämmerlein for the notification.
- Security improvements during login on the FTP server prevent a trial of different passwords through the session ID. We would like to thank P. Hämmerlein for the notification.
- The verification of a header was improved by loading firmware updates. We would like to thank P. Hämmerlein for the notification.
- If you are using a prepared parameter in the context of push mail, the execution of commands is prevented. Changes to the push mail settings require the FRITZ!Box password. We would like to thank P. Hämmerlein for the notification.
Resolved with
FRITZ!OS 6.80
Solution
Please install the latest version of FRITZ!OS on your FRITZ!Box. |
|
Security improvements FRITZ!OS 6.50
Description- In the configuration of MyFRITZ!, the password defined for the myfritz.net service must be different from the one for access to the FRITZ!
- Enforce secure TLS, support for SSLv3 also removed for all FRITZ!Box client roles (for instance, for TR-069 or WebDAV online storage)
- Prevent possibility of DNS poisoning via DHCP host name. Many thanks to A. Vogt for the message.
Resolved with
FRITZ!OS 6.50
Solution
Please install the latest version of FRITZ!OS on your FRITZ!Box. |
|
Security improvements FRITZ!OS 6.30
Description- Obsolete RC4 cipher for TLS connections (e.g. https, ftps) is no longer supported.
- Obsolete SSLv3 protocol for TLS connections (e.g. https, ftps) is no longer supported.
- When attempting to upload a prepared firmware file manually, the execution of commands will be prevented. The uploading of a firmware file requires the device's password. Many thanks to RedTeam GmbH for notifying us.
- Possible Command Injection from the LAN or by CSRF fixed. Affects products listed in [1]. Many thanks to RedTeam GmbH for notifying us.
- Possible HTML Injection, when using the "Push Mail" feature, fixed. Many thanks to D. Schliebner for notifying us.
[1] FRITZ!Box 3272/7272, 3370/3390/3490, 7312/7412, 7320/7330 (SL), 736x (SL) and 7490
Resolved with
FRITZ!OS 6.30
Solution
Please install the latest version of FRITZ!OS on your FRITZ!Box. |
|
Security improvements FRITZ!OS 6.20
Description- If you're uploading a prepared backup file for settings, the execution of commands is prevented. The uploading of a backup file for settings requires the device's password.
- If you're uploading a prepared firmware file the signature check can no longer be avoided. The uploading of a firmware file requires the device's password. Models starting with FRITZ!OS 5.50 are affected.
Resolved with
FRITZ!OS 6.20
Solution
Please install the latest version of FRITZ!OS on your FRITZ!Box. |