Meinberg Security Advisory: [MBGSA-1902] Meinberg LANTIME Firmware V7

Potential security problems were detected in LANTIME firmware version up to and including 6.24.023 and removed. Therefore, the LANTIME firmware version 7.00.002 contains a broad rework of the web interface, installed programs and provided services.

Estimation of severity
LANTIME firmware V6: critical vulnerabilities

Updated Version:
LANTIME firmware V7.00.002

1. Description of the vulnerabilities
   The changes of the firmware that mitigate the security vulnerabilities are listed and described in an additional document. A link to the document "Release Notes LANTIME Firmware V7" with descriptions contained therein may be found under Further information. In addition, it contains lists of hardening measures and updated third party software. This list can be used to determine security fixes for updated software if needed. It is strongly recommended to read this document thoroughly, because of possible regressions when connecting to the time servers.
   
   

   • Web Interface

     • CVE-2018-10834 - Arbitrary File Read / Privilege Escalation (high)
       Admin and info users were able to read data through the data upload mechanism ("NTP → Leap Second Handling") to which only root users have access. (detected by Michal Bazyli)
       Fixed in:
       V7.00.002 MBGID-6927, 7038 and V6.24.024 MBGID-8872
       Workaround:
       Revoke access of admin and info users.
       
       
     • CVE-2018-10835 - Arbitrary File Upload / Privilege Escalation (high)
       Admin users were able to exchange web interface data through the data upload mechanism ("NTP → Leap Second Handling") to which only root users have access. (detected by Michal Bazyli)
       Fixed in:
       V7.00.002 MBGID-6927, 7039 and V6.24.024 MBGID-8872
       Workaround:
       Revoke access of admin and info users.
       
       
     • CVE-2018-10836 - Information Disclosure (low)
       Other logged-in users were visible to info users and admin users through the function "logged in users". (detected by Michal Bazyli)
       Fixed in:
       V7.00.002 MBGID-6927, 7046 and V6.24.024 MBGID-8872, 8877
       Workaround:
       Revoke access of admin and info users.
       
       
     • CVE-2020-7240 - Remote Code Execution (low)
       The intended feature that is used in CVE-2020-7240 is only allowed to super users which have root access. Other authenticated users are not allowed to use this functionality. Due to the need of the highest access rights we do not currently plan to change this behavior.
       https://nvd.nist.gov/vuln/detail/CVE-2020-7240
       Workaround:
       Deactivate web interface (deactivate HTTP/HTTPS).
       
       
     • NO-CVE1 - Stored Cross Site Scripting not authenticated (critical)
       Non-authenticated users were able to place Java Script code through the login dialogue which was delivered by the web server via the function "System → System Information → Show System Messages". (detected by Jakub Palaczynski)
       Fixed in:
       V7.00.002 MBGID-6362 and V6.24.024 MBGID-8873
       Workaround:
       Deactivate web interface (deactivate HTTP/HTTPS).
       
       
     • NO-CVE2 - Stored Cross Site Scripting authenticated (high)
       Admin users were able to place Java Script code in different ways which was delivered by the web server. (detected by Jakub Palaczynski)
       Fixed in:
       V7.00.002 MBGID-7077, 7191, 7034 and V6.24.024 MBGID-8873
       Workaround:
       Revoke access of admin users.
       
       
     • NO-CVE3 - Reflected Cross Site Scripting authenticated (medium)
       The parameters of the SyncMon and XtraStats pages were susceptible to reflected cross-site scripting attacks. (detected by Jakub Palaczynski)
       Fixed in:
       V7.00.002 MBGID-8285, 7150 and V6.24.024 MBGID-8873
       Workaround:
       Deactivate web interface (deactivate HTTP/HTTPS).
       
       
     • NO-CVE4 - Privilege Escalation from admin user to super user (high)
       • Admin users were allowed to download, change and re-upload configurations (e.g. the change of /etc/passwd was possible). (detected by Jakub Palaczynski)
         Fixed in:
         V7.00.002 MBGID-7009, 6746 and V6.24.024 MBGID-8948
         Workaround:
         Revoke access of admin users.
         
         
       • Admin users were allowed to activate other firmware versions (e.g. back to version 6 where configuration changes are possible).
         Fixed in:
         V7.00.002 MBGID-8430 and V6.24.024 MBGID-8949
         Workaround:
         Revoke access of admin users.
         
         
       • Admin users were allowed to restore factory default settings (device take-over).
         Fixed in:
         V7.00.002 MBGID-8430 and V6.24.024 MBGID-8949
         Workaround:
         Revoke access of admin users.
         
         
       • Admin users were allowed to view advanced network settings and user defined notifications with potentially security relevant information in it.
         Fixed in:
         V7.00.002 MBGID-7081 and V6.24.024 MBGID-8951
         Workaround:
         Revoke access of admin users.
         
         
       • Admin users were allowed to add, change and delete other external authentication servers.
         Fixed in:
         V7.00.002 MBGID-8131, 8429 and V6.24.024 MBGID-8952
         Workaround:
         Revoke access of admin users.
         
         
       • Admin users were allowed to download the private key of the SSL certificate.
         Fixed in:
         V7.00.002 MBGID-7038 and V6.24.024 MBGID-8953
         Workaround:
         Revoke access of admin users.
         
         
     • NO-CVE5 - Information Disclosure and possibly Privilege Escalation from info user to super user (high)
       Info users were able to download the diagnostic file which contains potentially security-related information (e.g. the external authentication password to decode network traffic).
       Fixed in:
       V7.00.002 MBGID-7152 and V6.24.024 MBGID-8866
       Workaround:
       Revoke access of info and admin users.
       
       
     • NO-CVE6 - Browser Cache weakness (medium)
       The browser was not instructed by the web server to delete cached pages (no "cache control: no-store" and "pragma: no-cache" header set).
       Fixed in:
       V7.00.002 MBGID-7024, 8767 and V6.24.024 MBGID-8868
       Workaround:
       Manually adapt lighttpd web server configuration.
       
       
     • NO-CVE7 - Outdated Anti-Cross-Site-Scripting header set (low)
       The web server transferred the outdated X-Content-Security-Policy header instead of the Content-Security-Policy header.
       Fixed in:
       V7.00.002 MBGID-7015, 7391, 8767 and V6.24.024 MBGID-8868, 8875
       Workaround:
       Manually adapt lighttpd web server configuration.
       
       
     • NO-CVE8 - Cross-domain Referrer leakage (medium)
       Security-related information (the Cross-Site-Request-Forgery token) was transferred in the URL. Furthermore, links did not set the preferences/tag "noreferrer".
       Fixed in:
       V7.00.002 MBGID-7023, 7697 and V6.24.024 MBGID-8884
       Workaround:
       Deactivate web interface (deactivate HTTP/HTTPS).
       
       
     • NO-CVE9 - Command Line Injection (high)
       In some form fields of the SyncMon web interface it was possible for admin users to execute any commands under root rights. (detected by Jakub Palaczynski)
       Fixed in:
       V7.00.002 MBGID-7186, 7010, 7696 and V6.24.024 MBGID-8885, 8867
       Workaround:
       Revoke access of admin users.
       
       
     • NO-CVE10 - Information Disclosure password fields (medium)
       The SNMPv1/v2 community names were shown in plain text in the web front-end. The shared secret under "System → User Management/Administration → Add External Authentication Server" was not a password type field.
       Fixed in:
       V7.00.002 MBGID-7042, 7014, 8130 and V6.24.024 MBGID-8878
       Workaround:
       Deactivate web interface (deactivate HTTP/HTTPS).
       
       
     • NO-CVE11 - Information Disclosure and potentially Privilege Escalation (high)
       The SNMPv3 user password was visible to admin users via manual configuration ("System → Services and Functions → Manual Configuration → Miscellaneous Configuration").
       Fixed in:
       V7.00.002 MBGID-7082 and V6.24.024 MBGID-8876
       Workaround:
       Revoke access of admin users.
       
       
     • NO-CVE12 - Information Disclosure and potentially Privilege Escalation (high)
       The external auth shared secret was also visible to admin users as long as it was in the "current configuration changes" (in other words: as long as the current configuration had not been saved as startup configuration).
       Fixed in:
       V7.00.002 MBGID-7040 and V6.24.024 MBGID-8901
       Workaround:
       Make sure that no admin user can log in before and during modifications.

   • System

     • CVE-2011-2900 - Webshell Stack-based buffer overflow (high)
       The webshell service used an old library with this vulnerability.
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2900
       Fixed in:
       V7.00.002 MBGID-7255 and V6.24.024 MBGID-8871
       Workaround:
       Deactivate webshell service.
       
       
     • CVE-2019-1563 - OpenSSL Missing Encryption of Sensitive Data (low)
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563
       Fixed in:
       V7.00.002 MBGID-8659 and V6.24.024 MBGID-8660
       
       
     • CVE-2019-1547 - OpenSSL Missing Encryption of Sensitive Data (low)
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547
       Fixed in:
       V7.00.002 MBGID-8659 and V6.24.024 MBGID-8660
       
       
     • CVE-2019-1552 - OpenSSL Improper Certificate Validation (low)
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1552
       Fixed in:
       V7.00.002 MBGID-8659 and V6.24.024 MBGID-8660
       
       

   • TSU cards

     • NO-CVE13 - SSH default key (critical)
       Root access to TSU cards was possible through the network due to an SSH standard key.
       Fixed in:
       V7.00.002 MBGID-7591 and V6.24.022 for TSU pxa270_v24 and TSU GbE (tegra20_v12_1ge)
       Workaround:
       Remove ssh authorized key after initial configuration and change the host keys. No automatic updates of the TSU cards are possible thereafter.
2. Systems affected
   All the LANTIME firmware versions prior to V7.00.002 are affected by these mentioned vulnerabilities. The LANTIME firmware is used by all the devices of Meinberg’s LANTIME M series (M100, M200, M300, M400, M600, M900), all the devices of the IMS series (M500, M1000, M1000S, M3000, M3000S, M4000) and by the SyncFire product family (SF1000 / SF1100). It depends on the configuration, network infrastructure and other factors if and to which degree the LANTIME systems are vulnerable. That's why no general statement about the vulnerability of the systems in use can be made.
   
   
3. Possible security measures
   The security patches are included in the LANTIME firmware version 7.00.002. An update to this versions mitigate the vulnerabilities. If it is not possible to update your LANTIME, it is recommended to restrict the management access of the system as much as possible. The download of the newest LANTIME firmware can be found under:
   Meinberg LANTIME Firmware Updates.
   
   As of now, all updates are available for the Meinberg customers. It is recommended to update the LANTIME firmware to version 7.00.002.
   
   
4. Further information
   Further details and information can be found on the following webpages:
   • LANTIME Firmware Update: V7.00.002
   • Release Notes LANTIME Firmware V7
   If you have any other questions or you need assistance, please, don't hesitate to contact your Meinberg support service.