CVE-2021-33903

Name of the Vulnerable Software and Affected Versions: LANCOM devices LCOS versions 10.40 through 10.42.0473-RU3

Description: The issue arises when the password of the root user is changed via the CLI in LCOS versions 10.40 to 10.42.0473-RU3 with SNMPv3 enabled on LANCOM devices. This change does not update the password for SNMPv3 access. However, changing the root user's password via LANconfig does successfully update the SNMPv3 password.

Recommendations: For LCOS versions 10.40 through 10.42.0473-RU3, consider changing the root user's password via LANconfig instead of the CLI to ensure the SNMPv3 password is updated correctly. As a temporary workaround, restrict SNMPv3 access until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.