![Meinberg Security Advisory: [MBGSA-1404] LANTIME Web Interface Cross Site Scripting Vulnerability - Meinberg News](/css/images/logos/xmbg-logo.png.pagespeed.ic.DX69pohVcT.png){kind=logo}
![[Preview]Meinberg Security Advisory: [MBGSA-1404] LANTIME Web Interface Cross Site Scripting Vulnerability - Meinberg News](/css/buttons/xde.png.pagespeed.ic.STRk-ATSUv.png)
NEWSNews from 2014-10-02
Meinberg Security Advisory: [MBGSA-1404] LANTIME Web Interface Cross Site Scripting Vulnerability
CVE-ID:
1. Description of the Problem
The web-interface of Meinberg LANTIME products up to LTOS version 6.15.019 is not properly protected against Cross-Site-Scripting (XSS) attacks. In order to exploit this vulnerability, an attacker has to create an individual link on a compromised web page that contains the IP address or hostname of a LANTIME system. In order to have an impact, this link then needs to be opened by an administrator which has an open and fully authenticated session to that specific IP address or hostname in the same web browser (e.g. on a separate tab). Without knowing the exact IP address or hostname of a system, an attacker cannot exploit this vulnerability.
2. Affected Systems
All LANTIME Firmware Versions before V6.15.019 are affected by this vulnerability.
3. Potential Defense Strategies
Firmware Update for V5.x and V6.x Systems
An update to the latest available firmware version is recommended in order to resolve this vulnerability.
Please request a firmware update using the corresponding Meinberg web form:
Firmware Updates for LANTIME Products including SyncFire
You need the serial number of your Meinberg LANTIME system in order to be able to request a compatible update.
The following updates are available:
V6.14.x - 6.16.x Update to V6.16.002
For V5.x LANTIME M-series models (M100, M200, M300, M400, M600, M900) Meinberg recommends an update to V6.16.002 - depending on the hardware configuration of your LANTIME it might be required to upgrade the internal flash memory to be compatible with V6 firmware versions. Please contact your Meinberg Technical Support Team for further assistance.
Recommended Security Measures for other LANTIME models
If your LANTIME device is not compatible with V6.16.002, you can ensure that your device cannot be attacked by carefully following these security procedures:- Only use the web user interface of your LANTIME devices when you are not accessing other potentially insecure websites at the same time.
- After using the web interface of a LANTIME device, make sure you properly log out and close the web browser application completely afterwards.
4. Additional Information Sources
More information about this security issue can be found on the following website(s):
https://ics-cert.us-cert.gov/advisories/ICSA-14-275-01
(ICS-CERT Advisory)
