News from 2018-09-27
Meinberg Security Advisory [MBGSA-1802] NTP Critical rated and OpenSSL for LANTIME 6.24.015
CVE-IDs:
-
NTP:
CVE-2018-12327 (CVSSv3 Score: 9.8),
CVE-2018-7170 (CVSSv3 Score: 6.5) -
OpenSSL:
CVE-2018-0732 (CVSSv3 Score: 7.5)
Updated versions:
-
NTP: ntp-4.2.8p12
OpenSSL: 1.0.2o
-
Description of the problems
The security vulnerabilities are described in detail on the manufacturer's webpages and in the NIST NVD database. The links to the descriptions are to be found in the paragraph 4 Further information.
-
Systems affected
All the LANTIME firmware versions prior to V6.24.015 and the NTP for Windows versions prior to ntp-4.2.8p12, are affected by these mentioned vulnerabilities. The LANTIME firmware is used by all the devices of Meinberg LANTIME M-series (M100, M200, M300, M400, M600, M900), all the devices of the IMS-series (M500, M1000, M1000S, M3000, M3000S, M4000) and by the SyncFire product family (SF1000 / SF1100).
It depends on the configuration, network infrastructure and other factors if and to which degree, the LANTIME systems are vulnerable. That's why, no general statement about the vulnerability of the systems in use, is to be made.
-
Possible defense strategies
The security patches for ntpq, ntpdc and OpenSSL are included in the LANTIME firmware version 6.24.015 and in the NTP package for Windows ntp-4.2.8p12.
As of now, all the updates are available for the Meinberg customers. It is strongly recommended to update the LANTIME versions V5 and V6 to 6.24.015. Please, contact the Meinberg support service, if you need support for this matter or if you have any questions.
-
Further information
Further details and information can be found on the following webpages:
- ntp:
- OpenSSL::
If you have any other questions or you need assistance, please, don't hesitate to contact your Meinberg support service.