Meinberg Security Advisory [MBGSA-1803]: OpenSSH and OpenSSL for LANTIME OS

Several security vulnerabilities were detected in OpenSSH 7.4p1 as well as in OpenSSL 1.0.2p and removed. Therefore, the LANTIME firmware version 6.24.016 or later contains the latest OpenSSH and OpenSSL versions, in order to remove the security problems.

CVE-IDs:

• OpenSSH:
  CVE-2018-15473 (CVSSv3 Score: 5.3)
  CVE-2017-15906 (CVSSv3 Score: 5.3)
• OpenSSL:
  CVE-2018-5407 (CVSSv3 Score: Awaiting Analysis)
  CVE-2018-0734 (CVSSv3 Score: Awaiting Analysis)
• Updated versions:
  OpenSSL: 1.0.2q
  OpenSSH: 7.9p1

1 Description of the problems

The security vulnerabilities are described in detail on the manufacturer's webpages and in the NIST National Vulnerability Database (NVD). The links to the descriptions are to be found in the paragraph 4 Further information. The vulnerabilities in OpenSSL are currently awaiting analysis by the NIST. The OpenSSL developer assesses the vulnerabilities with a low severity.

2 Systems affected

All the LANTIME firmware versions prior to 6.24.016 are affected by these mentioned vulnerabilities. The LANTIME firmware is used by all the devices of Meinberg LANTIME M-series (M100, M200, M300, M400, M600, M900), all the devices of the IMS-series (M500, M1000, M1000S, M3000, M3000S, M4000) and by the Sync-fire product family (SF1000 / SF1100). It depends on the configuration, network infrastructure and other factors if and to which degree the LANTIME systems are vulnerable. That's why, no general statement about the vulnerability of the systems in use, is to be made.

3 Possible defense strategies

The security patches for OpenSSH and OpenSSL are included in the LANTIME firmware version >= 6.24.016.

As of now, all the updates are available for the Meinberg customers. It is recommended to update the LANTIME versions prior to 6.24.16. Please, contact the Meinberg support service, if you need support for this matter or if you have any questions.

4 Further information

Further details and information can be found on the following webpages:

• OpenSSH:
  
  • https://nvd.nist.gov/vuln/detail/CVE-2018-15473
  • https://nvd.nist.gov/vuln/detail/CVE-2017-15906
  • https://www.openssh.com/releasenotes.html
• OpenSSL:
  
  • https://nvd.nist.gov/vuln/detail/CVE-2018-5407
  • https://nvd.nist.gov/vuln/detail/CVE-2018-0734
  • https://www.openssl.org/news/vulnerabilities.html

If you have any other questions or you need assistance, please, don't hesitate to contact your Meinberg support service.