News from 2021-11-15
Meinberg Security Advisory: [MBGSA-2021.03] Meinberg-LANTIME-Firmware V7.04.008 and V6.24.029
Meinberg recommends updating to LANTIME Firmware version 7.04.008.
Estimation of Severity up to and Including
-
LANTIME firmware V7.04.007: severity level high (2), medium (2), low (2)
-
LANTIME firmware V6.24.028: severity level high (2), medium (2), low (2)
Updated versions:
-
LANTIME firmware: V7.04.008
-
LANTIME firmware: V6.24.029
-
Description of Vulnerabilities
- Third-party software:
- Linux kernel:
-
CVE-2021-33909 - integer overflow, an Out-of-bounds-Write, and escalation to root by an unprivileged user (low)
Description:
https://nvd.nist.gov/vuln/detail/CVE-2021-33909
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.240
https://www.linuxkernelcves.com/cves/CVE-2021-33909
Fixed in:
V7.04.008 MBGID-6050 and V6.24.029 MBGID-9344
Notice:
Because of the shell access this vulnerability requires, only superusers are able to exploit this. A superuser would not benefit significantly from this vulnerability, so Meinberg has classified this vulnerability as “low severity”.
- OpenSSL-1.1.1l:
-
CVE-2021-3711 - SM2 Decryption Buffer Overflow (high)
OpenSSL-1.1.1k security advisory:
https://www.openssl.org/news/secadv/20210824.txt
Fixed in:
V7.04.008 MBGID-6712 and V6.24.029 MBGID-9360
-
CVE-2021-3712 - Read buffer overruns processing ASN.1 strings (medium)
OpenSSL-1.1.1k security advisory:
https://www.openssl.org/news/secadv/20210824.txt
Fixed in:
V7.04.008 MBGID-6712 ands V6.24.029 MBGID-9360
- LTOS Web Interface:
- User Management:
-
CVE-2021-46903 - Denial of Service caused by deletion of system accounts (low)
An admin user was able to delete accounts that are essential for the operation of the device (detected by milCERT Austria).
Fixed in:
V7.04.008 MBGID-6303 and V6.24.029 MBGID-9343
Workaround:
Revoke access of admin users.
- Configuration & Firmware Management:
-
CVE-2021-46902 - Incorrect path validation of the configuration save and delete function (medium)
An admin user was able to delete or inspect forbidden files using the Configuration & Firmware Management (detected by milCERT Austria).
Fixed in:
V7.04.008 MBGID-6257 and V6.24.029 MBGID-9341
Workaround:
Revoke access of admin users.
- LTOS-Command-Line-Interface:
- Login Function:
-
NOCVE - Privilege elevation (high)
Even when "Disable Root Login" is disabled, it was possible to remotely execute arbitrary commands via shell with valid root credentials.
Fixed in:
V7.04.008 MBGID-6571 and V6.24.029 MBGID-9342
Workaround:
Use a very long passphrase for the root account and ensure that it is not saved anywhere. Also, monitor login activity to be able to monitor root account misuse.
-
Systems affected
All LANTIME Firmware versions before V7.04.008 and V6.24.029 are affected by these vulnerabilities. The LANTIME Firmware is used by all LANTIME M Series devices (M100, M200, M300, M400, M600, M900) as well as all LANTIME IMS Series devices (M500, M1000, M1000S, M2000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000 / SF1100 / SF1200).
The extent to which individual device users or LANTIME systems may be affected by these vulnerabilities will depend on the specific configuration, network infrastructure, and other factors. It is therefore not possible to provide a general statement on how vulnerable the systems in service actually are.
-
Possible security measures
The security updates are included in LANTIME Firmware version V7.04.008 and V6.24.029. Updating to these versions will eliminate the listed vulnerabilities.
Download the latest LANTIME firmware at:
All updates are now available for Meinberg device users. An update of the LANTIME firmware to the version 7.04.008 is recommended. Device users who cannot install 7.04.008 can use version V6.24.029.
-
Further information
Further details and information are available from the following websites:
If you have any questions or need assistance, please do not hesitate to contact Meinberg Technical Support.
-
Acknowledgments
We would like to thank all those who have reported vulnerabilities, other errors, and also suggestions for improvements to us.
Many thanks!
Description of Vulnerabilities
- Third-party software:
- Linux kernel:
-
CVE-2021-33909 - integer overflow, an Out-of-bounds-Write, and escalation to root by an unprivileged user (low)
Description:
https://nvd.nist.gov/vuln/detail/CVE-2021-33909
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.240
https://www.linuxkernelcves.com/cves/CVE-2021-33909
Fixed in:
V7.04.008 MBGID-6050 and V6.24.029 MBGID-9344
Notice: Because of the shell access this vulnerability requires, only superusers are able to exploit this. A superuser would not benefit significantly from this vulnerability, so Meinberg has classified this vulnerability as “low severity”.
-
CVE-2021-33909 - integer overflow, an Out-of-bounds-Write, and escalation to root by an unprivileged user (low)
- OpenSSL-1.1.1l:
-
CVE-2021-3711 - SM2 Decryption Buffer Overflow (high)
OpenSSL-1.1.1k security advisory:
https://www.openssl.org/news/secadv/20210824.txt
Fixed in:
V7.04.008 MBGID-6712 and V6.24.029 MBGID-9360
-
CVE-2021-3712 - Read buffer overruns processing ASN.1 strings (medium)
OpenSSL-1.1.1k security advisory:
https://www.openssl.org/news/secadv/20210824.txt
Fixed in:
V7.04.008 MBGID-6712 ands V6.24.029 MBGID-9360
-
CVE-2021-3711 - SM2 Decryption Buffer Overflow (high)
- Linux kernel:
- LTOS Web Interface:
- User Management:
-
CVE-2021-46903 - Denial of Service caused by deletion of system accounts (low)
An admin user was able to delete accounts that are essential for the operation of the device (detected by milCERT Austria).
Fixed in:
V7.04.008 MBGID-6303 and V6.24.029 MBGID-9343
Workaround:
Revoke access of admin users.
-
CVE-2021-46903 - Denial of Service caused by deletion of system accounts (low)
- Configuration & Firmware Management:
-
CVE-2021-46902 - Incorrect path validation of the configuration save and delete function (medium)
An admin user was able to delete or inspect forbidden files using the Configuration & Firmware Management (detected by milCERT Austria).
Fixed in:
V7.04.008 MBGID-6257 and V6.24.029 MBGID-9341
Workaround:
Revoke access of admin users.
-
CVE-2021-46902 - Incorrect path validation of the configuration save and delete function (medium)
- User Management:
- LTOS-Command-Line-Interface:
- Login Function:
-
NOCVE - Privilege elevation (high)
Even when "Disable Root Login" is disabled, it was possible to remotely execute arbitrary commands via shell with valid root credentials.
Fixed in:
V7.04.008 MBGID-6571 and V6.24.029 MBGID-9342
Workaround:
Use a very long passphrase for the root account and ensure that it is not saved anywhere. Also, monitor login activity to be able to monitor root account misuse.
-
NOCVE - Privilege elevation (high)
- Login Function:
Systems affected
All LANTIME Firmware versions before V7.04.008 and V6.24.029 are affected by these vulnerabilities. The LANTIME Firmware is used by all LANTIME M Series devices (M100, M200, M300, M400, M600, M900) as well as all LANTIME IMS Series devices (M500, M1000, M1000S, M2000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000 / SF1100 / SF1200).
The extent to which individual device users or LANTIME systems may be affected by these vulnerabilities will depend on the specific configuration, network infrastructure, and other factors. It is therefore not possible to provide a general statement on how vulnerable the systems in service actually are.
Possible security measures
The security updates are included in LANTIME Firmware version V7.04.008 and V6.24.029. Updating to these versions will eliminate the listed vulnerabilities.
Download the latest LANTIME firmware at:
All updates are now available for Meinberg device users. An update of the LANTIME firmware to the version 7.04.008 is recommended. Device users who cannot install 7.04.008 can use version V6.24.029.
Further information
Further details and information are available from the following websites:
If you have any questions or need assistance, please do not hesitate to contact Meinberg Technical Support.
Acknowledgments
We would like to thank all those who have reported vulnerabilities, other errors, and also suggestions for improvements to us.
Many thanks!