Meinberg Security Advisory: [MBGSA-1602] NTP and OpenSSL

The Public NTP Services Project (www.ntp.org) announced that the current versions of the reference implementation of NTP contain a number of security related bugs that affect all NTP 4.x versions before ntp-4.2.8p7 which has been released this week. The new LANTIME firmware release 6.18.016 includes NTP 4.2.8p7.

The OpenSSL project announced that a security vulnerability exists in OpenSSL 1.0.2f and older versions. LANTIME Firmware Version 6.18.016 therefore also includes OpenSSL 1.0.2g to address these vulnerabilities.

CVE-IDs:

NTP: see Network Time Foundation Announcement for ntp-4.2.8p7

OPENSSL: see OpenSSL Security Announcement

1. Description of the Problem

The version of the reference implementation of NTP installed on LANTIME firmware appliances contains several bugs that can cause security vulnerabilities.

The Network Time Foundation today announced the availability of the latest stable NTP version 4.2.8p7 which fixes multiple vulnerabilities. As a member of the NTP Consortium of the Network Time Foundation, Meinberg received access to this release before the general public and included it in the latest stable LANTIME firmware version 6.18.016, available from today for both LANTIME and SyncFire products.

2. Affected Systems

All LANTIME Firmware Versions before V6.18.016 are theoretically affected by these vulnerabilities.

3. Possible Defense Strategies

Meinberg Products

The fixes for the NTP vulnerabilites are included in 6.18.016 which is available as of today.

Meinberg LANTIME Firmware Updates

For V5 versions and all V6 versions we strongly recommend to update to 6.18.016 as soon as possible. Please contact your Meinberg support for assistance or in case of questions.

Other NTP Installations

Please contact your OS vendor to find out how to protect your systems and how to update to ntp-4.2.8p7, if possible. If you are using our NTP Installer for Windows, you should download the latest version of the installer and upgrade your installations to 4.2.8p7 using the "Update Binaries Only" feature of the installer.

4. Additional Information Sources

More about this topic can be found on the following websites:

April 2016 Security Notice of the NTP Public Services Project
NTF Release Announcement
OpenSSL Security Advisory March1st
OpenSSL 1.0.2g Release Announcement

Please do not hesitate to reach out to your Meinberg support contact if you need further assistance or have additional questions.