Meinberg Security Advisory: [MBGSA-1603] OpenSSL

The OpenSSL project published a security advisory on May 3rd, 2016 describing multiple vulnerabilities affecting OpenSSL 1.0.2g and older versions. LANTIME Firmware Version 6.18.017 therefore updates the OpenSSL version to 1.0.2h, the current stable version as recommended by the OpenSSL project.

CVE-IDs:

OPENSSL: see OpenSSL Security Announcement

1. Description of the Problem

The version of the openssl libraries and binaries installed on LANTIME firmware appliances contains several security vulnerabilities as described in the official OpenSSL Security advisory.

Meinberg therefore recommends to update your LANTIME devices as soon as possible by installing LTOS 6.18.017 (a download link can be requested below).

2. Affected Systems

All LANTIME Firmware Versions before V6.18.017 are theoretically affected by these vulnerabilities.

3. Possible Defense Strategies

Meinberg Products

The fixes for the OpenSSL vulnerabilites are included in 6.18.017 which is available as of today.

Meinberg LANTIME Firmware Updates

For V5 versions and all V6 versions we strongly recommend to update to 6.18.017 as soon as possible. Please contact your Meinberg support for assistance or in case of questions.

Other OpenSSL Installations

Please contact your OS vendor to find out how to protect your systems and how to update to OpenSSL 1.0.2h, if possible.

4. Additional Information Sources

More about this topic can be found on the following websites:

ARS Technical News Article covering the OpenSSL vulnerabilities
OpenSSL Security Advisory May 3rd
Infoworld News Article about the security vulnerabilities found

Please do not hesitate to reach out to your Meinberg support contact if you need further assistance or have additional questions.