News from 2023-01-24


Meinberg Security Advisory: [MBGSA-2023.01] Meinberg-LANTIME-Firmware V7.06.009 and V6.24.035



The LANTIME firmware versions 7.06.009 and 6.24.035 include security updates of various third party libraries and programs. The update V6.24.035 is the last planned update of the LTOS version 6.

It is strongly recommended to upgrade systems that have an installed version 6 to the version 7.06.009 or 7.06.009-light. Meinberg recommends generally updating to LANTIME firmware version 7.06.009.


Estimation of Severity up to and including

  • LANTIME firmware V7.06.007:
    severity level critical(0), high (1), medium (0), low (2)
  • LANTIME firmware V6.24.034:
    severity level critical(0), high (1), medium (0), low (2)

Updated Versions:

  • LANTIME firmware: V7.06.009
  • LANTIME firmware: V6.24.035

  1. Description of the Vulnerabilities

    • Third-party software:
      • curl:
        • CVE-2022-42915, CVE-2022-42916, CVE-2022-35252, CVE-2022-35260 - HSTS check not correct (high)
          https://curl.se/docs/security.html

          Fixed in: V7.06.008 MBGID-12415 and V6.24.035 MBGID-9531

          Notice: The vulnerability CVE-2022-42915 occurs just if a proxy is used for a curl call with an included scheme dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet.

          These schemes are not in use in the LTOS, automatically. The issue could only occur if curl is used manually via command line.

      • sudo:
        • CVE-2022-43995 - Heap-based buffer over-read or buffer overflow (low)
          https://www.sudo.ws/releases/stable/

          Fixed in: V7.06.008 MBGID-12419 and V6.24.035 MBGID-9519

          Notice: Severity low, because only a Super-User, that already has the highest privileges, can use sudo.

      • dbus:
        • CVE-2022-42012, CVE-2022-42011, CVE-2022-42010 - Manipulated messages can cause a crash (low)
          https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12/NEWS

          Fixed in: V7.06.008 MBGID-12298 and V6.24.035 MBGID-9518

          Notice: Severity low, because only a Super-User, that already has the highest privileges, can use d-bus via console.

    • Systems Affected

      All LANTIME firmware versions before V7.06.008 or V6.24.035 respectively are affected by the corresponding vulnerabilities. The LANTIME firmware is used by all devices of the LANTIME M series (M100, M150, M200, M250, M300, M320, M400, M450, M600, M900) as well as all devices of the LANTIME IMS series (M500, M1000, M1000S, M2000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000, SF1100, SF1200).

      Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the individual configuration, network infrastructure, and other factors, and it is therefore not possible to provide a general statement on how vulnerable a given system in use actually is.

    • Possible Security Measures

      The relevant security updates are included in the LANTIME firmware versions V7.06.009(-light) and V6.24.035. Updating to these versions eliminates the listed vulnerabilities.

      Download the latest LANTIME firmware at:

      All updates are now available for Meinberg customers. An update of the LANTIME firmware to the version 7.06.009 respectively 7.06.009-light is recommended. Clients who cannot install version 7.06.009 should install V7.06.009-light instead.

    • Further Information

      Further details and information are available from the following websites:

      If you have any questions or need assistance, please, do not hesitate to contact Meinberg’s technical support team.

    • Acknowledgments

    • We would like to express our gratitude to all those who have advised us of vulnerabilities or other bugs, and have also suggested improvements to us.

      Thank you!


Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact