![Meinberg Security Advisory: [MBGSA-2021.02] Meinberg-LANTIME-Firmware V7.02.003 and V6.24.028 - Meinberg News](/css/images/logos/xmbg-logo.png.pagespeed.ic.DX69pohVcT.png){kind=logo}
NEWSNews from 2021-04-20
Meinberg Security Advisory: [MBGSA-2021.02] Meinberg-LANTIME-Firmware V7.02.003 and V6.24.028
Meinberg recommends the update to LANTIME firmware version 7.02.003.
Estimation of severity
-
LANTIME-Firmware V7.02.001: severity level high (3), medium (1), low (1), not specified (0)
-
LANTIME-Firmware V7.02.002: severity level high (2), medium (1), low (1), not specified (0)
-
LANTIME-Firmware V6.24.027: severity level high (4), medium (1), low (1), not specified (0)
Updated versions:
-
LANTIME-Firmware: V7.02.003
-
LANTIME-Firmware: V6.24.028
-
Description of the vulnerabilities
- Third-party software:
- OpenSSL-1.1.1k:
-
CVE-2021-3450 - CA certificate check bypass with X509_V_FLAG_X509_STRICT (high)
OpenSSL-1.1.1j security advisory:
https://www.openssl.org/news/vulnerabilities.html
Fixed in:
V7.02.003 MBGID-4882 and V6.24.028 MBGID-9308
-
CVE-2021-23840 - NULL pointer deref in signature_algorithms processing (high)
OpenSSL-1.1.1j security advisory:
https://www.openssl.org/news/vulnerabilities.html
Fixed in:
V7.02.003 MBGID-4882 and V6.24.028 MBGID-9308
- OpenSSL-1.1.1j:
-
CVE-2021-23841 - public API function NULL pointer deref (medium)
OpenSSL-1.1.1i security advisory:
https://www.openssl.org/news/vulnerabilities.html
Fixed in:
V7.02.003 MBGID-4882 and V6.24.028 MBGID-9308
-
CVE-2021-23840 - API function overflow of output length (low)
OpenSSL-1.1.1i security advisory:
https://www.openssl.org/news/vulnerabilities.html
Fixed in:
V7.02.003 MBGID-4882 and V6.24.028 MBGID-9308
- sudo-1.9.5p2:
-
CVE-2021-3156 - Heap-based Buffer Overflow allowing privilege escalation (high)
sudo-1.9.5p2 release notes:
https://www.sudo.ws/stable.html#1.9.5p2
Fixed in:
V7.02.002 MBGID-2438 and V6.24.028 MBGID-9288
Notice: ’sudo’ can be used by super users only. Super users are already in use of root rights and can not further elivate their rights via this vulnerability. In addition no sudo binary with the name sudoedit is part of the LTOS firmware default.
- LTOS-Web-Interface:
- SyncMon:
-
NOCVE - Cross-Site-Scripting and Command-Line-Injection (high)
In consequence of missing input validation of a few fields in the SyncMon web interface, the LTOS was susceptible for Cross-Site-Scripting and Command-Line-Injection attacks.
Fixed in:
V7.02.001 MBGID-4053 and V6.24.028 MBGID-9279
Workaround:
Deactivate the web interface (HTTP/HTTPS).
-
SSL and SSH cipher suites hardening
In version 7.02.001 and 6.24.028 the default cipher suites were updated for SSL and SSH. The new firmware defaults will be automatically used in version 7 unless the configurations were not manually changed before. In version 6.24.028 the SSL cipher-suites are automatically updated only. The new SSH ciphers must be activated by a manual step. To get the new SSH ciphers in version 6 the command 'sudo lt_cfg /etc/ssh/ssh.cfg alter SSHD CONFIGFILE /etc/ssh/sshd_modern.cfg; sudo restart ssh' must be executed on the command line interface. Afterwards it should be tested if the SSH connection works as desired. If everything is working fine, the running-config can be saved to the startup-config with the ’sudo saveconfig ssh’ command.
Please look for a current SSH client and web browser when you update your LANTIME system to be safe that the new ciphers are supported by the clients too.
-
Systems affected
All LANTIME firmware versions before V7.02.003 (V6.24.028 respectively) are affected by these vulnerabilities. The LANTIME firmware is used by all devices of the LANTIME M series (M100, M200, M300, M400, M600, M900) as well as all devices of the LANTIME IMS series (M500, M1000, M1000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000 / SF1100 / SF1200).
Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the respective configuration, network infrastructure and other factors. Therefore, no general statement can be made regarding the actual vulnerability of the systems used.
-
Possible security measures
The security updates are included in the LANTIME firmware version V7.02.003 and V6.24.028. An update of these versions corrects the listed vulnerabilities.
Download the latest LANTIME firmware at:
All updates are now available to Meinberg clients. An update of the LANTIME firmware to the version 7.02.003 is recommended. Clients who cannot install 7.02.003 can use version V6.24.028.
-
Further information
Further details and information are available from the following websites:
If you have any questions or need assistance, please, don’t hesitate to contact your Meinberg support service.
-
Acknowledgments
We would like to thank all those who have point us to vulnerabilities, other failures or improvements.
Many thanks!
Description of the vulnerabilities
- Third-party software:
- OpenSSL-1.1.1k:
-
CVE-2021-3450 - CA certificate check bypass with X509_V_FLAG_X509_STRICT (high)
OpenSSL-1.1.1j security advisory:
https://www.openssl.org/news/vulnerabilities.html
Fixed in:
V7.02.003 MBGID-4882 and V6.24.028 MBGID-9308
-
CVE-2021-23840 - NULL pointer deref in signature_algorithms processing (high)
OpenSSL-1.1.1j security advisory:
https://www.openssl.org/news/vulnerabilities.html
Fixed in:
V7.02.003 MBGID-4882 and V6.24.028 MBGID-9308
-
CVE-2021-3450 - CA certificate check bypass with X509_V_FLAG_X509_STRICT (high)
- OpenSSL-1.1.1j:
-
CVE-2021-23841 - public API function NULL pointer deref (medium)
OpenSSL-1.1.1i security advisory:
https://www.openssl.org/news/vulnerabilities.html
Fixed in:
V7.02.003 MBGID-4882 and V6.24.028 MBGID-9308
-
CVE-2021-23840 - API function overflow of output length (low)
OpenSSL-1.1.1i security advisory:
https://www.openssl.org/news/vulnerabilities.html
Fixed in:
V7.02.003 MBGID-4882 and V6.24.028 MBGID-9308
-
CVE-2021-23841 - public API function NULL pointer deref (medium)
- sudo-1.9.5p2:
-
CVE-2021-3156 - Heap-based Buffer Overflow allowing privilege escalation (high)
sudo-1.9.5p2 release notes:
https://www.sudo.ws/stable.html#1.9.5p2
Fixed in:
V7.02.002 MBGID-2438 and V6.24.028 MBGID-9288Notice: ’sudo’ can be used by super users only. Super users are already in use of root rights and can not further elivate their rights via this vulnerability. In addition no sudo binary with the name sudoedit is part of the LTOS firmware default.
-
CVE-2021-3156 - Heap-based Buffer Overflow allowing privilege escalation (high)
- OpenSSL-1.1.1k:
- LTOS-Web-Interface:
- SyncMon:
-
NOCVE - Cross-Site-Scripting and Command-Line-Injection (high)
In consequence of missing input validation of a few fields in the SyncMon web interface, the LTOS was susceptible for Cross-Site-Scripting and Command-Line-Injection attacks.
Fixed in:
V7.02.001 MBGID-4053 and V6.24.028 MBGID-9279
Workaround:
Deactivate the web interface (HTTP/HTTPS).
-
NOCVE - Cross-Site-Scripting and Command-Line-Injection (high)
- SyncMon:
SSL and SSH cipher suites hardening
In version 7.02.001 and 6.24.028 the default cipher suites were updated for SSL and SSH. The new firmware defaults will be automatically used in version 7 unless the configurations were not manually changed before. In version 6.24.028 the SSL cipher-suites are automatically updated only. The new SSH ciphers must be activated by a manual step. To get the new SSH ciphers in version 6 the command 'sudo lt_cfg /etc/ssh/ssh.cfg alter SSHD CONFIGFILE /etc/ssh/sshd_modern.cfg; sudo restart ssh' must be executed on the command line interface. Afterwards it should be tested if the SSH connection works as desired. If everything is working fine, the running-config can be saved to the startup-config with the ’sudo saveconfig ssh’ command.
Please look for a current SSH client and web browser when you update your LANTIME system to be safe that the new ciphers are supported by the clients too.
Systems affected
All LANTIME firmware versions before V7.02.003 (V6.24.028 respectively) are affected by these vulnerabilities. The LANTIME firmware is used by all devices of the LANTIME M series (M100, M200, M300, M400, M600, M900) as well as all devices of the LANTIME IMS series (M500, M1000, M1000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000 / SF1100 / SF1200).
Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the respective configuration, network infrastructure and other factors. Therefore, no general statement can be made regarding the actual vulnerability of the systems used.
Possible security measures
The security updates are included in the LANTIME firmware version V7.02.003 and V6.24.028. An update of these versions corrects the listed vulnerabilities.
Download the latest LANTIME firmware at:
All updates are now available to Meinberg clients. An update of the LANTIME firmware to the version 7.02.003 is recommended. Clients who cannot install 7.02.003 can use version V6.24.028.
Further information
Further details and information are available from the following websites:
If you have any questions or need assistance, please, don’t hesitate to contact your Meinberg support service.
Acknowledgments
We would like to thank all those who have point us to vulnerabilities, other failures or improvements.
Many thanks!
