Security information about updates

Security on the Internet and for devices connected to it is a continuous job. That is why we not only develop our products according to the latest security standards, but continue to further develop security measures corresponding to current demands. Please consider our current security notifications as well.

Reporting security topics

Do you have suggestions about how to improve the security of our products? Then please contact us at security@avm.de. We will get back to you via email should we have follow-up questions. Apart from that, please excuse that you will not get an individualized reply. For safe transmission of sensitive data, we advise you to encrypt emails to security@avm.de using the PGP Key by AVM.

Should you require assistance concerning technical questions, our Support Desk will be glad to assist you.

Note: The protection of the users of our products is a top priority. Thus, AVM regularly publishes information for fixing weaknesses. For example, once solutions or updates are available.

Security informations about updates

Release date Update and security topic

05.09.2017

Security improvements FRITZ!OS 6.90

Description

These points will be published later.

03.03.2017

Security improvements FRITZ!OS 6.83

First off, we would like to thank P. Hämmerlein and one other user [1] for submitting their messages.

Description

  • Setting up IP phones requires at least 8 characters for the username.
  • Connecting IP phones over the Internet is deactivated after installing the update. We recommend to use VPN to connect IP phones from external locations.
  • Under certain circumstances and with a specifically prepared data package it could have been possible to cause a buffer overflow in products using FRITZ!OS 6.80. This was solved with FRITZ!OS 6.83 [1].
  • The execution of commands through specifically prepared parameters in the TR-064 context is now disabled. To perform TR-064 commands required knowledge of the device's password. Thanks to P. Hämmerlein for reporting this.

Solved with

FRITZ!OS 6.83

 

Note

[1] Only models with FRITZ!OS 6.80 were affected

 

Solution

Please install the latest version of FRITZ!OS on your FRITZ!Box.

15.12.2016

Security improvements FRITZ!OS 6.80

Description

  • Failed connections for FTP, SMB and SIP extensions are displayed in the event log.
  • Password for registering an IP telephone with the FRITZ!Box must have at least eight characters. IP telephones with a shorter password will be disabled with this update.
  • The FTPS port is chosen randomly to improve security.
  • Access via FTPS supports ECDHE ciphers.
  • The time of the last FRITZ!OS update is displayed in the user interface.
  • Registration with the FRITZ!Box user interface is valid for 20 min.
  • Increased security of FRITZ!Box's own certificate through signature with SHA 256.
  • Restart of the FRITZ!Box is prevented by specifically prepared data packages. We would like to thank S. Deseke for the notification.
  • Temporary impairment of access to the user interface via certain access paths prevented by prepared queries. We would like to thank P. Hämmerlein for the notification.
  • If you're uploading a prepared tar file, the execution of commands is prevented. Loading a tar file requires local and physical access to the FRITZ!Box. We would like to thank P. Hämmerlein for the notification.
  • Security improvements during login on the FTP server prevent a trial of different passwords through the session ID. We would like to thank P. Hämmerlein for the notification.
  • The verification of a header was improved by loading firmware updates. We would like to thank P. Hämmerlein for the notification.
  • If you are using a prepared parameter in the context of push mail, the execution of commands is prevented. Changes to the push mail settings require the FRITZ!Box password. We would like to thank P. Hämmerlein for the notification.

Solved with

FRITZ!OS 6.80

 

Solution

Please install the latest version of FRITZ!OS on your FRITZ!Box.

01.06.2016

Security improvements FRITZ!OS 6.50

Description

  • In the configuration of MyFRITZ!, the password defined for the myfritz.net service must be different from the one for access to the FRITZ!
  • Enforce secure TLS, support for SSLv3 also removed for all FRITZ!Box client roles (for instance, for TR-069 or WebDAV online storage)
  • Prevent possibility of DNS poisoning via DHCP host name. Many thanks to A. Vogt for the message.

 

Solved with

FRITZ!OS 6.50

Solution

Please install the latest version of FRITZ!OS on your FRITZ!Box.

27.08.2015

Security improvements FRITZ!OS 6.30

Description

  • Obsolete RC4 cipher for TLS connections (e.g. https, ftps) is no longer supported.
  • Obsolete SSLv3 protocol for TLS connections (e.g. https, ftps) is no longer supported.
  • When attempting to upload a prepared firmware file manually, the execution of commands will be prevented. The uploading of a firmware file requires the device's password. Many thanks to RedTeam GmbH for notifying us.
  • Possible Command Injection from the LAN or by CSRF fixed. Affects products listed in [1]. Many thanks to RedTeam GmbH for notifying us.
  • Possible HTML Injection, when using the "Push Mail" feature, fixed. Many thanks to D. Schliebner for notifying us.

[1] FRITZ!Box 3272/7272, 3370/3390/3490, 7312/7412, 7320/7330 (SL), 736x (SL) and 7490

Solved with

FRITZ!OS 6.30

Solution

Please install the latest version of FRITZ!OS on your FRITZ!Box.

21.01.2015

Security improvements FRITZ!OS 6.20

Description

  • If you're uploading a prepared backup file for settings, the execution of commands is prevented. The uploading of a backup file for settings requires the device's password.
  • If you're uploading a prepared firmware file the signature check can no longer be avoided. The uploading of a firmware file requires the device's password. Models starting with FRITZ!OS 5.50 are affected.

Solved with

FRITZ!OS 6.20

Solution

Please install the latest version of FRITZ!OS on your FRITZ!Box.