News from 2020-01-30


Meinberg Security Advisory: [MBGSA-2001] Meinberg-LANTIME-Firmware V7 and V6


LANTIME Firmware Version 6.24.024 includes an update (e.g. back port) for the correction of security vulnerabilities which have already been corrected in LANTIME Firmware Version 7.00.002. In addition to the back ports, two new fixes are also included in V7.00.006 and V6.24.024.

Estimation of severity:

  • LANTIME firmware V7.00.005: critical only if a TSU pxa270_v12 is in use in a M400, M600 or M900
  • LANTIME firmware V6.24.023: critical

Updated version:

  • LANTIME firmware: V7.00.006
  • LANTIME firmware: V6.24.024

  1. Description of the vulnerabilities

    • Web Interface

      • CVE-2018-10834 - Arbitrary File Read / Privilege Escalation (high)
        Admin and info users were able to read data through the data upload mechanism ("NTP → Leap Second Handling") to which only root users have access. (detected by Michal Bazyli)
        Fixed in:
        V7.00.002 MBGID-6927, 7038 and V6.24.024 MBGID-8872
        Workaround:
        Revoke access of admin and info users.

      • CVE-2018-10835 - Arbitrary File Upload / Privilege Escalation (high)
        Admin users were able to exchange web interface data through the data upload mechanism ("NTP → Leap Second Handling") to which only root users have access. (detected by Michal Bazyli)
        Fixed in:
        V7.00.002 MBGID-6927, 7039 and V6.24.024 MBGID-8872
        Workaround:
        Revoke access of admin and info users.

      • CVE-2018-10836 - Information Disclosure (low)
        Other logged-in users were visible to info users and admin users through the function "logged in users". (detected by Michal Bazyli)
        Fixed in:
        V7.00.002 MBGID-6927, 7046 and V6.24.024 MBGID-8872, 8877
        Workaround:
        Revoke access of admin and info users.

      • CVE-2020-7240 - Remote Code Execution (low)
        The intended feature that is used in CVE-2020-7240 is only allowed to super users which have root access. Other authenticated users are not allowed to use this functionality. Due to the need of the highest access rights we do not currently plan to change this behavior.
        https://nvd.nist.gov/vuln/detail/CVE-2020-7240
        Workaround:
        Deactivate web interface (deactivate HTTP/HTTPS).

      • NO-CVE1 - Stored Cross Site Scripting not authenticated (critical)
        Non-authenticated users were able to place Java Script code through the login dialogue which was delivered by the web server via the function "System → System Information → Show System Messages". (detected by Jakub Palaczynski)
        Fixed in:
        V7.00.002 MBGID-6362 and V6.24.024 MBGID-8873
        Workaround:
        Deactivate web interface (deactivate HTTP/HTTPS).

      • NO-CVE2 - Stored Cross Site Scripting authenticated (high)
        Admin users were able to place Java Script code in different ways which was delivered by the web server. (detected by Jakub Palaczynski)
        Fixed in:
        V7.00.002 MBGID-7077, 7191, 7034 and V6.24.024 MBGID-8873
        Workaround:
        Revoke access of admin users.

      • NO-CVE3 - Reflected Cross Site Scripting authenticated (medium)
        The parameters of the SyncMon and XtraStats pages were susceptible to reflected cross-site scripting attacks. (detected by Jakub Palaczynski)
        Fixed in:
        V7.00.002 MBGID-8285, 7150 and V6.24.024 MBGID-8873
        Workaround:
        Deactivate web interface (deactivate HTTP/HTTPS).

      • NO-CVE4 - Privilege Escalation from admin user to super user (high)
        • Admin users were allowed to download, change and re-upload configurations (e.g. the change of /etc/passwd was possible). (detected by Jakub Palaczynski)
          Fixed in:
          V7.00.002 MBGID-7009, 6746 and V6.24.024 MBGID-8948
          Workaround:
          Revoke access of admin users.

        • Admin users were allowed to activate other firmware versions (e.g. back to version 6 where configuration changes are possible).
          Fixed in:
          V7.00.002 MBGID-8430 and V6.24.024 MBGID-8949
          Workaround:
          Revoke access of admin users.

        • Admin users were allowed to restore factory default settings (device take-over).
          Fixed in:
          V7.00.002 MBGID-8430 and V6.24.024 MBGID-8949
          Workaround:
          Revoke access of admin users.

        • Admin users were allowed to view advanced network settings and user defined notifications with potentially security relevant information in it.
          Fixed in:
          V7.00.002 MBGID-7081 and V6.24.024 MBGID-8951
          Workaround:
          Revoke access of admin users.

        • Admin users were allowed to add, change and delete other external authentication servers.
          Fixed in:
          V7.00.002 MBGID-8131, 8429 and V6.24.024 MBGID-8952
          Workaround:
          Revoke access of admin users.

        • Admin users were allowed to download the private key of the SSL certificate.
          Fixed in:
          V7.00.002 MBGID-7038 and V6.24.024 MBGID-8953
          Workaround:
          Revoke access of admin users.

      • NO-CVE5 - Information Disclosure and possibly Privilege Escalation from info user to super user (high)
        Info users were able to download the diagnostic file which contains potentially security-related information (e.g. the external authentication password to decode network traffic).
        Fixed in:
        V7.00.002 MBGID-7152 and V6.24.024 MBGID-8866
        Workaround:
        Revoke access of info and admin users.

      • NO-CVE6 - Browser Cache weakness (medium)
        The browser was not instructed by the web server to delete cached pages (no "cache control: no-store" and "pragma: no-cache" header set).
        Fixed in:
        V7.00.002 MBGID-7024, 8767 and V6.24.024 MBGID-8868
        Workaround:
        Manually adapt lighttpd web server configuration.

      • NO-CVE7 - Outdated Anti-Cross-Site-Scripting header set (low)
        The web server transferred the outdated X-Content-Security-Policy header instead of the Content-Security-Policy header.
        Fixed in:
        V7.00.002 MBGID-7015, 7391, 8767 and V6.24.024 MBGID-8868, 8875
        Workaround:
        Manually adapt lighttpd web server configuration.

      • NO-CVE8 - Cross-domain Referrer leakage (medium)
        Security-related information (the Cross-Site-Request-Forgery token) was transferred in the URL (fixed in V7). Furthermore, links did not set the preferences/tag "noreferrer" (fixed in V7 and V6).
        Fixed in:
        V7.00.002 MBGID-7023, 7697 and V6.24.024 MBGID-8884
        Workaround:
        Deactivate web interface (deactivate HTTP/HTTPS).

      • NO-CVE9 - Command Line Injection (high)
        In some form fields of the SyncMon web interface it was possible for admin users to execute any commands under root rights. (detected by Jakub Palaczynski)
        Fixed in:
        V7.00.002 MBGID-7186, 7010, 7696 and V6.24.024 MBGID-8885, 8867
        Workaround:
        Revoke access of admin users.

      • NO-CVE10 - Information Disclosure password fields (medium)
        The SNMPv1/v2 community names were shown in plain text in the web front-end. The shared secret under "System → User Management/Administration → Add External Authentication Server" was not a password type field.
        Fixed in:
        V7.00.002 MBGID-7042, 7014, 8130 and V6.24.024 MBGID-8878
        Workaround:
        Deactivate web interface (deactivate HTTP/HTTPS).

      • NO-CVE11 - Information Disclosure and potentially Privilege Escalation (high)
        The SNMPv3 user password was visible to admin users via manual configuration ("System → Services and Functions → Manual Configuration → Miscellaneous Configuration").
        Fixed in:
        V7.00.002 MBGID-7082 and V6.24.024 MBGID-8876
        Workaround:
        Revoke access of admin users.

      • NO-CVE12 - Information Disclosure and potentially Privilege Escalation (high)
        The external auth shared secret was also visible to admin users as long as it was in the "current configuration changes" (in other words: as long as the current configuration had not been saved as startup configuration).
        Fixed in:
        V7.00.002 MBGID-7040 and V6.24.024 MBGID-8901
        Workaround:
        Make sure that no admin user can log in before and during modifications.

    • System

    • TSU cards

      • NO-CVE13 - SSH default key (critical)
        Root access to TSU cards was possible through the network due to an SSH standard key.
        Fixed in:
        V7.00.002 MBGID-7591 and V6.24.022 for TSU pxa270_v24 and TSU GbE (tegra20_v12_1ge)
        V7.00.006 MBGID-8412 and V6.24.024 MBGID-8869 for TSU pxa270_v12
        Workaround:
        Remove ssh authorized key after initial configuration and change the host keys. No automatic updates of the TSU cards are possible thereafter.

  2. Systems affected

    All LANTIME firmware versions before V6.24.024 (V7.00.002 respectively) are affected by the vulnerabilities with exception of CVE-2019-1551 and NO-CVE13 which also affects all versions before V7.00.006. The LANTIME firmware is used by all devices of the LANTIME M series (M100, M200, M300, M400, M600, M900) as well as all devices of the LANTIME IMS series (M500, M1000, M1000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000 / SF1100).

    Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the respective configuration, network infrastructure and other factors. Therefore, no general statement can be made regarding the actual vulnerability of the systems used.

  3. Possible security measures

    The security patches are included in the LANTIME firmware version V7.00.006 and V6.24.024. An update of these versions corrects the listed vulnerabilities with the exception of CVE-2020-7240.

    Also note that the web server configuration is not automatically updated to fix NO-CVE6 and NO-CVE7 in version 6. To replace the configuration, the following command can be executed on the command line.

    • LANTIME:
      sudo cp /mnt/firmware/fw_6.24.024/flash/firmware/OSV/packages/web/files/config/default/etc/http-global.conf /etc/http-global.conf ; sudo saveconfig; sudo restart http; sudo restart https
    • SyncFire:
      sudo cp /mnt/firmware/fw_6.24.024-sf1000/flash/firmware/OSV/packages/web/files/config/default/etc/http-global.conf /etc/http-global.conf ; sudo saveconfig; sudo restart http; sudo restart https

    Download the latest LANTIME firmware at:

    All updates are now available to Meinberg clients. An update of the LANTIME firmware to the version 7.00.006 is recommended. Clients who cannot install 7.00.006 can use version V6.24.024.

  4. Further information

    Further details and information are available from the following websites and LTOS7 Release Notes:

    If you have any questions or need assistance, please, don’t hesitate to contact your Meinberg support service.

  5. Acknowledgments

    We would like to thank our independent security investigators Michal Bazyli and Jakub Palaczynski for their cooperation. We would also like to express our gratitude to all those who preferred not to be mentioned or who have not explicitly agreed to being mentioned.

    Thanks!


Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact