Meinberg Security Advisory: [MBGSA-2020.02] Meinberg-LANTIME-Firmware V7.00.010 and V6.24.026

The LANTIME firmware versions 7.00.010 and 6.24.026 contain an update of the ntp software (ntp-4.2.8p15) due to a vulnerability found. Furthermore, this security advisory contains a summary of further fixed vulnerabilities of the last LTOS versions.

An update of the LANTIME firmware to the version 7.00.010 is recommended.

Estimation of severity

• LANTIME firmware V7.00.007: severity level high (2), medium (4), low (2), not specified (1)
• LANTIME firmware V7.00.008: severity level high (1), medium (1), low (0), not specified (0)
• LANTIME firmware V7.00.009: severity level high (0), medium (1), low (0), not specified (0)

• LANTIME firmware V6.24.024: severity level high (1), medium (4), low (1), not specified (1)
• LANTIME firmware V6.24.025: severity level high (0), medium (1), low (0), not specified (0)

Updated version:

• LANTIME firmware: V7.00.010 (Released 2020-07-03)
• LANTIME firmware: V6.24.026 (Released 2020-08-05)

1. Description of the vulnerabilities

   • Third-party software:

     • ntp-4.2.8p13:
       

       • Sec 3610 - short packets (none)
         ntp-4.2.8p14 release notes:
         http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
         Fixed in:
         V7.00.008 MBGID-1993 and V6.24.025 MBGID-9014

       • Sec 3596 - Unauthenticated IPv4 spoof attack (medium)
         ntp-4.2.8p14 release notes:
         http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
         Fixed in:
         V7.00.008 MBGID-1993 and V6.24.025 MBGID-9014

       • Sec 3592 - DoS Attack on unauthenticated client. (medium)
         ntp-4.2.8p14 release notes:
         http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
         Fixed in:
         V7.00.008 MBGID-1993 and V6.24.025 MBGID-9014

     • ntp-4.2.8p14:
       

       • Sec 3661 - Memory leak with CMAC keys. (medium)
         ntp-4.2.8p15 release notes:
         http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
         Fixed in:
         V7.00.010 MBGID-2521 and V6.24.026 MBGID-9122

     • OpenSSL-1.1.1d (only V7.00.008):
       

       • CVE-2019-1551 - Exposure of sensitive information to an unauthorized actor (low)
         OpenSSL-1.1.1e security advisory:
         https://www.openssl.org/news/vulnerabilities.html
         Fixed in:
         V7.00.008 MBGID-2376 and already in V6.24.024 MBGID-8905 with the OpenSSL update to 1.0.2u

     • OpenSSL-1.1.1f:
       

       • CVE-2020-1967 - NULL pointer dereference (high)
         OpenSSL-1.1.1g security advisory:
         https://www.openssl.org/news/vulnerabilities.html
         Fixed in:
         V7.00.009 MBGID-2522 (V6.24.024 is not affected)

   • Web interface

     (the respective workaround should only be applied if an upgrade of the firmware is not possible at all)
     
     

     • NO-CVE1 - Information Disclosure (medium)
       Info-Users were able to create a custom POST message to display configuration changes. This was only possible as long as changes existed. After revoking or saving them as startup configuration it was not possible to access them anymore.
       Fixed in:
       V7.00.008 MBGID-1958 and V6.24.025 MBGID-9012
       Workaround:
       Revoke access of info users.

     • NO-CVE2 - Information Disclosure (high)
       Authenticated users were able to display meta information of other user sessions. The data only exists for a short duration during a website request of another user. The data that was viewable contained sensible account information.
       Fixed in:
       V7.00.008 MBGID-1958 and V6.24.025 MBGID-9012
       Workaround:
       Deactivate web interface (deactivate HTTP/HTTPS) or create just one user.

     • NO-CVE3 - Insufficient Access Control (low)
       Authenticated users were able to call functions in the web interface although the access restrictions should have blocked the IP address.
       Fixed in:
       V7.00.008 MBGID-1975 and V6.24.025 MBGID-9013
       Workaround:
       Deactivate web interface (deactivate HTTP/HTTPS).

2. Systems affected

   All LANTIME firmware versions before V7.00.010 (V6.24.026 respectively) are affected by vulnerabilities. The LANTIME firmware is used by all devices of the LANTIME M series (M100, M200, M300, M400, M600, M900) as well as all devices of the IMS LANTIME series (M500, M1000, M1000S, M2000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000 / SF1100).

   Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the respective configuration, network infrastructure and other factors. Therefore, no general statement can be made regarding the actual vulnerability of the systems used.

3. Possible security measures

   The security patches and the update of NTP are included in the LANTIME firmware version V7.00.010 and V6.24.026. An update of these versions corrects the listed vulnerabilities.

   Download the latest LANTIME firmware at:

   • Meinberg-LANTIME-Firmware

   All updates are now available to Meinberg clients. An update of the LANTIME firmware to the version 7.00.010 is recommended. Clients who cannot install 7.00.010 can use version V6.24.026.

4. Further information

   Further details and information are available on the following websites:

   • Changelogs: LANTIME Firmware V7.00.010
   • Changelogs: LANTIME Firmware V6.24.026

   If you have any questions or need assistance, please, don’t hesitate to contact your Meinberg support service.

5. Acknowledgments

   We would like to thank all those who have pointed us to vulnerabilities, other failures or improvements.
   Many thanks!