Meinberg Security Advisory: [MBGSA-2023.04] LANTIME-Firmware V7.08.002

Description of the Vulnerabilities

• Third-party software:
  • OpenSSL:
    • CVE-2023-2650 - Possible DoS translating ASN.1 object identifiers (low)

      https://www.openssl.org/news/secadv/20230530.txt

      Fixed in:
      V7.08.002 MBGID-14187

  • ncurses:
    • CVE-2023-29491 - Memory corruption via malformed data in a terminfo database (high)

      https://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56

      Fixed in:
      V7.08.002 MBGID-14155

  • curl:
    • CVE-2023-28322 - more POST-after-PUT confusion (low)
      CVE-2023-28321 - IDN wildcard match (low)
      CVE-2023-28320 - siglongjmp race condition (low)
      CVE-2023-28319 - UAF in SSH sha256 fingerprint check (medium)

      https://curl.se/docs/security.html

      Fixed in:
      V7.08.002 MBGID-14167

  • libssh:
    • CVE-2023-1667 - Potential NULL dereference during rekeying with algorithm guessing (medium)
      https://www.libssh.org/security/advisories/CVE-2023-1667.txt
      
      CVE-2023-2283 - Authorization bypass in pki_verify_data_signaturee (medium)
      https://www.libssh.org/security/advisories/CVE-2023-2283.txt
      
      

      Fixed in:
      V7.08.002 MBGID-14310

  • GnuTLS:
    • CVE-2023-0361 - Timing sidechannel in RSA decryption (medium)

      https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-07-14

      Fixed in:
      V7.08.002 MBGID-14364

• Web-Interface and System:
  • NOCVE - JavaScript Code Injection / XSS in Log File (low)

    Super-User were able to include JavaScript code in the Log-file “lantime_messages“ that would be delivered via web interface.

    Fixed in:
    V7.08.002 MBGID-14449

  • NOCVE - Signatur Bypass (high)

    The signature check of uploaded firmware image files could be bypassed because of performing it too late. The check is now performed as early as possible.

    Fixed in:
    V7.08.002 MBGID-14459

  • NOCVE - Persisted hidden user can be created (low)

    User with a name that consisted of parts of a system username were not displayed in the web interface.

    Fixed in:
    V7.08.002 MBGID-14448

Systems Affected

All LANTIME firmware versions before V7.08.002 are affected by the corresponding vulnerabilities. The LANTIME firmware is used by all devices of the LANTIME M series (M100, M150, M200, M250, M300, M320, M400, M450, M600, M900) as well as all devices of the LANTIME IMS series (M500, M1000, M1000S, M2000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000, SF1100, SF1200, SF1500).

Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the individual configuration, network infrastructure, and other factors, and it is therefore not possible to provide a general statement on how vulnerable a given system in use actually is.

Possible Security Measures

The relevant security updates are included in the LANTIME firmware versions V7.08.002(-light). Updating to these versions eliminates the listed vulnerabilities.

Download the latest LANTIME firmware at:

• Meinberg LANTIME Firmware

All updates are now available for Meinberg customers. An update of the LANTIME firmware to the version 7.08.002 respectively 7.08.002-light is recommended. Clients who cannot install version 7.08.002 should install V7.08.002-light instead.

Further Information

Further details and information are available from the following websites:

• LANTIME firmware changelog: V7.08

If you have any questions or need assistance, please, do not hesitate to contact Meinberg’s technical support team.

Acknowledgments

We would like to express our gratitude to all those who have advised us of vulnerabilities or other bugs, and have also suggested improvements to us.

Thank you!