News from 2022-08-02


Meinberg Security Advisory: [MBGSA-2022.03] Meinberg LANTIME Firmware V7.06.004 and V6.24.033



The LANTIME Firmware Versions 7.06.004 and 6.24.033 include security updates of the third-party programs curl and openssl. In addition, a vulnerability has been fixed that allowed local user names to be determined.

Meinberg recommends updating to LANTIME Firmware Version 7.06.004.


Estimation of Severity up to and including:

  • LANTIME Firmware V7.06.003:
    severity level high (0), medium (0), low (0), info (0)
  • LANTIME Firmware V7.06.002:
    severity level high (0), medium (0), low (1), info (0)
  • LANTIME Firmware V7.06.001:
    severity level high (0), medium (1), low (1), info (0)
  • LANTIME Firmware V7.04.018:
    severity level high (0), medium (1), low (2), info (1)
  • LANTIME Firmware V6.24.032:
    severity level high (0), medium (1), low (2), info (1)

Updated Versions:

  • LANTIME Firmware: V7.06.004
  • LANTIME Firmware: V6.24.033

  1. Description of the Vulnerabilities

    • Third-party software:
      • OpenSSL-1.1.1:
        • CVE-2022-2068 - The c_rehash script does not correctly clean meta shell characters (info)

          OpenSSL-1.1.1p security advisory:
          https://www.openssl.org/news/vulnerabilities.html
          The c_rehash script is not installed in LTOS. LTOS is therefore not affected by this vulnerability, and the severity of the vulnerability is thus marked as informational.

        • CVE-2022-2097 - AES OCB fails to encrypt some bytes (low)

          OpenSSL-1.1.1q security advisory:
          https://www.openssl.org/news/vulnerabilities.html
          AES OCB mode is not used by LTOS for any standard functionality. Nevertheless, it is possible that an end user might use AES OCB mode for a customized openssl call. This vulnerability is therefore rated as low severity for LTOS.

          Fixed in: V7.06.003 MBGID-11452 and V6.24.033 MBGID-9408

      • curl:
        • CVE-2022-32208, CVE-2022-32207, CVE-2022-32206, CVE-2022-32205, CVE-2022-30115, CVE-2022-27782, CVE-2022-27781, CVE-2022-27780, CVE-2022-27779, CVE-2022-27778, CVE-2022-27776, CVE-2022-27775, CVE-2022-27774 - Various security vulnerabilities (medium)

          curl security advisory:
          https://curl.se/docs/security.html

          Fixed in:
          V7.06.002 MBGID-11342 and V6.24.033 MBGID-9405

    • LANTIME OS:
      • User Login:
        • NOCVE - User enumeration via login attempts (low)

          The difference in the time taken to process logon attempts using an existent username against logon attempts with a non-existent username may enable identification of valid usernames.

          Fixed in:
          V7.06.001 MBGID-11020 and V6.24.033 MBGID-9406

  2. Systems Affected

    All LANTIME Firmware Versions before V7.06.003 or V6.24.033 respectively are affected by the corresponding vulnerabilities. The LANTIME Firmware is used by all devices of the LANTIME M series (M100, M200, M300, M400, M600, M900) as well as all devices of the LANTIME IMS series (M500, M1000, M1000S, M2000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000 / SF1100 / SF1200).

    Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the individual configuration, network infrastructure, and other factors, and it is therefore not possible to provide a general statement on how vulnerable a given system in use actually is.

  3. Possible Security Measures

    The relevant security updates are included in the LANTIME Firmware Versions v7.06.004(-light) and v6.24.033. Updating to these versions eliminates the listed vulnerabilities. Download the latest LANTIME Firmware at:

    Download the latest LANTIME firmware at:

    All updates are now available for Meinberg customers. Updating the LANTIME Firmware to v7.06.004 or v7.06.004-light is recommended. Clients who cannot install v7.06.004 should install v7.06.004-light instead.

  4. Further Information

    Further details and information are available from the following websites and documents:

    If you have any questions or need assistance, please, do not hesitate to contact Meinberg’s Technical Support team.

  5. Acknowledgments

    We would like to express our gratitude to all those who have advised us of vulnerabilities or other bugs, and also those who have suggested improvements to us.
    Thank you!

Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact