News from 2022-10-19
Meinberg Security Advisory: [MBGSA-2022.04] Meinberg-LANTIME-Firmware V7.06.007 and V6.24.034
Estimation of Severity up to and including
-
LANTIME Firmware V7.06.006:
severity level critical(1), high (1), medium (0), low (0) -
LANTIME Firmware V6.24.033:
severity level critical(1), high (1), medium (0), low (0)
Updated Versions:
- LANTIME Firmware V7.06.007
- LANTIME Firmware V6.24.034
-
Description of the Vulnerabilities
- Third-party software:
- rsync:
-
CVE-2022-29154 - Insufficient validation of file names (high)
https://download.samba.org/pub/rsync/NEWS#3.2.5l
Fixed in:
V7.06.007 MBGID-11943 and V6.24.034 MBGID-9432
-
CVE-2022-29154 - Insufficient validation of file names (high)
- zlib:
-
CVE-2022-37434 - Heap-based buffer over-read or buffer overflow (critical)
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
Fixed in:
V7.06.007 MBGID-11929 and V6.24.034 MBGID-9431
-
CVE-2022-37434 - Heap-based buffer over-read or buffer overflow (critical)
- rsync:
- Third-party software:
-
Systems Affected
All LANTIME firmware versions before V7.06.007 or V6.24.034 respectively are affected by the corresponding vulnerabilities. The LANTIME firmware is used by all devices of the LANTIME M series (M100, M200, M300, M400, M600, M900) as well as all devices of the LANTIME IMS series (M500, M1000, M1000S, M2000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000 / SF1100 / SF1200).
Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the individual configuration, network infrastructure, and other factors, and it is therefore not possible to provide a general statement on how vulnerable a given system in use actually is.
-
Possible Security Measures
The relevant security updates are included in the LANTIME firmware versions V7.06.007(-light) and V6.24.034. Updating to these versions eliminates the listed vulnerabilities.
Download the latest LANTIME firmware at:
All updates are now available for Meinberg customers. An update of the LANTIME firmware to the version 7.06.007 respectively 7.06.007-light is recommended. Clients who cannot install version 7.06.007 should install V7.06.007-light instead.
-
Further Information
For more details and information, please refer to our LANTIME firmware changelogs:If you have any questions or need assistance, please, do not hesitate to contact Meinberg’s technical support team.
-
Acknowledgments
We would like to express our gratitude to all those who have advised us of vulnerabilities or other bugs, and have also suggested improvements to us.
Thank you!