News from 2022-05-23
Meinberg Security Advisory: [MBGSA-2022.02] Meinberg LANTIME Firmware V7.04.017 and V6.24.032
Meinberg recommends updating to LANTIME Firmware Version 7.04.017.
Estimation of Severity up to and Including:
-
LANTIME Firmware V7.04.016: Severity Level high (0), medium (1), low (0)
-
LANTIME Firmware V7.04.015: Severity Level high (0), medium (2), low (0)
-
LANTIME Firmware V6.24.031: Severity Level high (0), medium (1), low (0)
-
LANTIME Firmware V6.24.030: Severity Level high (0), medium (2), low (0)
Updated Versions:
-
LANTIME Firmware: V7.04.017
-
LANTIME Firmware: V6.24.032
-
Description of the Vulnerabilities
-
Third-party software:
- OpenSSL-1.1.1:
-
CVE-2022-1292 - the c_rehash Script allows command injection (medium)
Description:
OpenSSL-1.1.1o security advisory
Fixed in:
V7.04.017 MBGID-10919 and V6.24.032 MBGID-9396
- zlib:
-
CVE-2018-25032 - Memory corruption when deflating (medium)
zlib 1.2.12 Changelog:
https://zlib.net/ChangeLog.txt
Fixed in:
V7.04.016 MBGID-10397 and V6.24.031 MBGID-9395
-
Systems Affected
All LANTIME Firmware Versions before V7.04.017 or V6.24.032 respectively are affected by the corresponding vulnerabilities. The LANTIME Firmware is used by all devices of the LANTIME M Series (M100, M200, M300, M400, M600, M900) as well as all devices of the LANTIME IMS Series (M500, M1000, M1000S, M2000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000 / SF1100 / SF1200).
Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the individual configuration, network infrastructure, and other factors, and it is therefore not possible to provide a general statement on how vulnerable a given system in use actually is.
-
Possible Security Measures
The relevant Security Updates are included in the LANTIME Firmware Versions V7.04.017 and V6.24.032. Updating to these versions eliminates the listed vulnerabilities.
Download the latest LANTIME Firmware at:
All updates are now available for Meinberg customers. An update of the LANTIME Firmware to Version 7.04.017 is recommended. Clients who cannot install Version 7.04.017 can use Version 6.24.032 instead.
-
Further Information
Further details and information are available from the following websites:
If you have any questions or need assistance, please do not hesitate to contact Meinberg's Technical Support team..
-
Acknowledgments
We would like to express our gratitude to all those who have advised us of vulnerabilities or other bugs, and have also suggested improvements to us.
Thank you!
Description of the Vulnerabilities
-
Third-party software:
- OpenSSL-1.1.1:
-
CVE-2022-1292 - the c_rehash Script allows command injection (medium)
Description:
OpenSSL-1.1.1o security advisory
Fixed in:
V7.04.017 MBGID-10919 and V6.24.032 MBGID-9396
-
CVE-2022-1292 - the c_rehash Script allows command injection (medium)
- zlib:
-
CVE-2018-25032 - Memory corruption when deflating (medium)
zlib 1.2.12 Changelog:
https://zlib.net/ChangeLog.txt
Fixed in:
V7.04.016 MBGID-10397 and V6.24.031 MBGID-9395
-
CVE-2018-25032 - Memory corruption when deflating (medium)
- OpenSSL-1.1.1:
Systems Affected
All LANTIME Firmware Versions before V7.04.017 or V6.24.032 respectively are affected by the corresponding vulnerabilities. The LANTIME Firmware is used by all devices of the LANTIME M Series (M100, M200, M300, M400, M600, M900) as well as all devices of the LANTIME IMS Series (M500, M1000, M1000S, M2000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000 / SF1100 / SF1200).
Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the individual configuration, network infrastructure, and other factors, and it is therefore not possible to provide a general statement on how vulnerable a given system in use actually is.
Possible Security Measures
The relevant Security Updates are included in the LANTIME Firmware Versions V7.04.017 and V6.24.032. Updating to these versions eliminates the listed vulnerabilities.
Download the latest LANTIME Firmware at:All updates are now available for Meinberg customers. An update of the LANTIME Firmware to Version 7.04.017 is recommended. Clients who cannot install Version 7.04.017 can use Version 6.24.032 instead.
Further Information
Further details and information are available from the following websites:
If you have any questions or need assistance, please do not hesitate to contact Meinberg's Technical Support team..
Acknowledgments
We would like to express our gratitude to all those who have advised us of vulnerabilities or other bugs, and have also suggested improvements to us.
Thank you!