Security information about updates

Security on the Internet and for devices connected to it is a continuous job. That is why we not only develop our products according to the latest security standards, but continue to further develop security measures corresponding to current demands. Please consider our current security notifications as well.

Reporting security topics

Do you have suggestions about how to improve the security of our products? Then please contact us at security@avm.de. We will get back to you via email should we have follow-up questions. Apart from that, please excuse that you will not get an individualized reply. For safe transmission of sensitive data, we advise you to encrypt emails to security@avm.de using the PGP Key by AVM.

Should you require assistance concerning technical questions, our Support Desk will be glad to assist you.

Note: The protection of the users of our products is a top priority. Thus, AVM regularly publishes information for fixing weaknesses. For example, once solutions or updates are available.

Security informations about updates

Release date Update and security topic

01.06.2016

Security improvements FRITZ!OS 6.50

Description

  • In the configuration of MyFRITZ!, the password defined for the myfritz.net service must be different from the one for access to the FRITZ!
  • Enforce secure TLS, support for SSLv3 also removed for all FRITZ!Box client roles (for instance, for TR-069 or WebDAV online storage)
  • Prevent possibility of DNS poisoning via DHCP host name. Many thanks to A. Vogt for the message.

Solved with

FRITZ!OS 6.50

Solution

Please install the latest version of FRITZ!OS on your FRITZ!Box.

27.08.2015

Security improvements FRITZ!OS 6.30

Description

  • Obsolete RC4 cipher for TLS connections (e.g. https, ftps) is no longer supported.
  • Obsolete SSLv3 protocol for TLS connections (e.g. https, ftps) is no longer supported.
  • When attempting to upload a prepared firmware file manually, the execution of commands will be prevented. The uploading of a firmware file requires the device's password. Many thanks to RedTeam GmbH for notifying us.
  • Possible Command Injection from the LAN or by CSRF fixed. Affects products listed in [1]. Many thanks to RedTeam GmbH for notifying us.
  • Possible HTML Injection, when using the "Push Mail" feature, fixed. Many thanks to D. Schliebner for notifying us.

[1] FRITZ!Box 3272/7272, 3370/3390/3490, 7312/7412, 7320/7330 (SL), 736x (SL) and 7490

Solved with

FRITZ!OS 6.30

Solution

Please install the latest version of FRITZ!OS on your FRITZ!Box.

21.01.2015

Security improvements FRITZ!OS 6.20

Description

  • If you're uploading a prepared backup file for settings, the execution of commands is prevented. The uploading of a backup file for settings requires the device's password.
  • If you're uploading a prepared firmware file the signature check can no longer be avoided. The uploading of a firmware file requires the device's password. Models starting with FRITZ!OS 5.50 are affected.

Solved with

FRITZ!OS 6.20

Solution

Please install the latest version of FRITZ!OS on your FRITZ!Box.