Meinberg Security Advisory: [MBGSA-2021.01] Meinberg LANTIME firmware V7.00.014 and V6.24.027

LANTIME firmware versions 7.00.014 and 6.24.027 now include an update of OpenSSL (1.1.1i) to fix the vulnerability mentioned in this advisory.

Meinberg recommends the update to LANTIME firmware version 7.00.014.

Estimation of severity

• LANTIME firmware V7.00.013:
  severity level high (1), medium (0), low (0), not specified (0)
• LANTIME firmware V6.24.026:
  severity level high (1), medium (0), low (0), not specified (0)

Updated version:

• LANTIME firmware: V7.00.014
• LANTIME firmware: V6.24.027

1. Description of the vulnerabilities

   • Third-party software:
     • OpenSSL-1.1.1i:
       CVE-2020-1971 - EDIPARTYNAME NULL pointer de-reference (high)
       OpenSSL-1.1.1h security advisory: https://www.openssl.org/news/vulnerabilities.html
       Fixed in:
       V7.00.014 MBGID-3945 and in V6.24.027 MBGID-9256
       
       

2. Systems affected

   All LANTIME firmware versions before V7.00.014 (V6.24.027 respectively) are affected by this vulnerability. LANTIME firmware is used by all devices of the LANTIME M series (M100, M200, M300, M400, M600, M900) as well as all devices of the LANTIME IMS series (M500, M1000, M1000S, M3000, M3000S, M4000) and the SyncFire product family.

   Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the respective configuration, network infrastructure and other factors. Therefore, no general statement can be made regarding the actual vulnerability of the systems used.

3. Possible security measures

   The update of OpenSSL is included in the LANTIME firmware version V7.00.014 and V6.24.027. An update of these versions corrects the listed vulnerability.

   Download the latest LANTIME firmware at:

   • Meinberg LANTIME firmware

   All updates are now available to Meinberg clients. An update of the LANTIME firmware to the version 7.00.014 is recommended. Clients who cannot install V7.00.014 can use version V6.24.027.

4. Further information

   Further details and information are available from the following websites:

   • LANTIME firmware release: V7.00.014
   • LANTIME firmware release: V6.24.027

   If you have any questions or need assistance, please, don’t hesitate to contact your Meinberg support service.

5. Acknowledgments

   We would like to thank all those who have point us to vulnerabilities, other failures or improvements.

   Many thanks!