Meinberg Security Advisory: [MBGSA-1601] NTP and OpenSSH

The Public NTP Services Project (www.ntp.org) announced that the current versions of the reference implementation of NTP contain a number of security related bugs that affect all NTP 4.x versions before ntp-4.2.8p5 which has been released this week. The new LANTIME firmware release 6.18.013 includes NTP 4.2.8p5.

The OpenSSH project announced that a security vulnerability exists in OpenSSH-7.1p1 and older versions. The Open SSH security vulnerability also known as "Triple Seven" does not concern the SSHd implementation of MEINBERG LANTIME systems, since the affected part of the program is not included.

CVE-IDs:

[NTP]: CVE-2015-5300 CVE-2015-7704 [NOT YET PUBLIC]
[OPENSSH] CVE-2016-0777 [NOT YET PUBLIC] CVE-2016-0778 [NOT YET PUBLIC]
(at the time this MBGSA is published, some of the above listed CVEs might not yet available from NVD)

Update: The OpenSSH versions used in all LANTIME firmware revisions have been built in a way that removed the code which has been found vulnerable. This means it is not required to alter the LANTIME configuration to be protected against the latest OpenSSH vulnerabilities.

1. Description of the Problem

The version of the reference implementation of NTP installed on LANTIME firmware appliances contains several bugs that can cause security vulnerabilities.

The Network Time Foundation today announced the availability of the latest stable NTP version 4.2.8p5 which fixes one vulnerability detected rececently and improves the fix in 4.2.8p4 for another vulnerability . As a member of the NTP Consortium of the Network Time Foundation, Meinberg received access to this release before the general public and included it in the latest stable LANTIME firmware version 6.18.013, available from today for both LANTIME and SyncFire products.

Details about the reported vulnerabilities can be found in the official NTP 4.2.8p5 Announcement.

2. Affected Systems

All LANTIME Firmware Versions before V6.18.013 are affected by these vulnerabilities.

3. Possible Defense Strategies

Meinberg Products

The fixes for the NTP vulnerabilites are included in 6.18.013 which is available as of today.

Meinberg LANTIME Firmware Updates

For V5 versions and all V6 versions we strongly recommend to update to 6.18.013 as soon as possible. Please contact your Meinberg support for assistance or in case of questions.

Other NTP Installations

Please contact your OS vendor to find out how to protect your systems and how to update to ntp-4.2.8p5, if possible. If you are using our NTP Installer for Windows, you should download the latest version of the installer and upgrade your installations to 4.2.8p5 using the "Update Binaries Only" feature of the installer.

4. Additional Information Sources

More about this topic can be found on the following websites:

January 2016 Security Notice of the NTP Public Services Project
OpenBSD Journal Post concerning OpenSSH Triple-Seven Bug
RedHat Article about OpenSSH Triple-Seven

Please do not hesitate to reach out to your Meinberg support contact if you need further assistance or have additional questions.