News from 2019-03-18
Meinberg Security Advisory: [MBGSA-1901] NTP and OpenSSL for LANTIME firmware and NTP for Windows
Potential security problems were detected in NTP 4.2.8p12 as well as in OpenSSL 1.0.2q and removed. Therefore, the LANTIME firmware version 6.24.021 and NTP for Windows ntp-4.2.8p13 contain the latest NTP (4.2.8p13) and OpenSSL (1.0.2r) version.
CVE-IDs:
-
NTP:
CVE-2019-8936 (CVSSv3 Score: 4.2) -
OpenSSL:
CVE-2019-1559 (CVSSv3 Score: 5.9) -
Updated versions:
NTP: 4.2.8p13
OpenSSL: 1.0.2r
1. Description of the vulnerabilities
The security vulnerabilities are described in detail on the manufacturer’s webpages and in the NIST National Vulnerability Database (NVD). The links to the descriptions are to be found in the paragraph 4 Further information.
2. Systems affected
All the LANTIME firmware versions prior to V6.24.021 are affected by these mentioned vulnerabilities. The LANTIME firmware is used by all the devices of Meinberg LANTIME M-series (M100, M200, M300, M400, M600, M900), all the devices of the IMS-series (M500, M1000, M1000S, M3000, M3000S, M4000) and by the SyncFire product family (SF1000 / SF1100).Also, NTP for Windows prior to ntp-4.2.8p13 is affected by both vulnerabilities.
It depends on the configuration, network infrastructure and other factors if and to which degree the LANTIME systems are vulnerable. That’s why, no general statement about the vulnerability of the systems in use, can be made.
3. Possible security measures
The security patches for NTP and OpenSSL are included in the LANTIME firmware version 6.24.021 and in the NTP for Windows version ntp-4.2.8p13. An update to these versions mitigate the vulnerabilities. As of now, all the updates are available for Meinberg customers. It is recommended to update the LANTIME firmware to 6.24.021 and the NTP for Windows version to ntp-4.2.8p13.
4. Further information
Further details and information can be found on the following webpages:-
NTP:
- https://nvd.nist.gov/vuln/detail/CVE-2019-8936
- http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities -
OpenSSL:
- https://nvd.nist.gov/vuln/detail/CVE-2019-1559
- https://www.openssl.org/news/vulnerabilities.html
If you have any other questions or you need assistance, please, don’t hesitate to contact your Meinberg support service.