Meinberg Security Advisory: [MBGSA-1402] Multiple OpenSSL Vulnerabilities

The OpenSSL vulnerabilities recently published by the OpenSSL project as well as the so-called Heartbleed bug in the SSL libraries have been fixed for LANTIME firmware versions V5 and V6. The latest firmware releases contain the patched OpenSSL library version 0.9.8za and can be requested by customers using the Meinberg LANTIME firmware request web page.

CVE-IDs:

CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2010-5298, CVE-2014-0224

1. Description of the Problem

The OpenSSL library is used by several components of Meinberg's LANTIME firmware, including NTP, HTTPS and SSH services. The vulnerabilities published by the OpenSSL project on their web page in the security advisory of June 5th, 2014 include at least one vulnerability (CVE-2014-0224) that theoretically allows an attacker to decrypt traffic data if the network traffic is accessible.

2. Affected Systems

All LANTIME Firmware versions are affected by this vulnerability.

3. Potential Defense Strategies

Meinberg recommends updating to the latest firmware version that includes the updated OpenSSL libraries.

Please request a download link for a firmware update by using our firmware request web page:
Firmware Updates for LANTIME Products including SyncFire Models

You need to provide the serial number of your LANTIME device in order to request a firmware update download link.

4. Additional Information Sources

More details about this vulnerability can be found on the following web sites:

http://www.openssl.org/news/secadv_20140605.txt OpenSSL Security Advisory 20140605

US-CERT Announcement