![Meinberg Security Advisory: [MBGSA-2025.02] LANTIME-Firmware V7.08.021 - Meinberg News](/css/images/logos/meinberg-logo.svg){kind=logo}
![[Preview]Meinberg Security Advisory: [MBGSA-2025.02] LANTIME-Firmware V7.08.021 - Meinberg News](/css/buttons/xde.png.pagespeed.ic.STRk-ATSUv.png)
NEWSNews from 2025-03-04
Meinberg Security Advisory: [MBGSA-2025.02] LANTIME-Firmware V7.08.021
Meinberg recommends updating to LANTIME firmware version 7.08.021.
-
LANTIME firmware: V7.08.020
severity level critical(0), high (1), medium (6), low (4), info (2), unknown (0)
- LANTIME firmware: V7.08.021
-
Description of the Vulnerabilities
- Third-Party-Software:
- curl:
-
CVE-2025-0167 - netrc and default credential leak (low)
https://curl.se/docs/CVE-2025-0167.html
CVE-2025-0665 - eventfd double close (low)
https://curl.se/docs/CVE-2025-0665.html
CVE-2025-0725 - gzip integer overflow (info)
https://curl.se/docs/CVE-2025-0725.htmlFixed in:
V7.08.021 MBGID-21823
-
- GnuTLS:
-
CVE-2024-12243 - GnuTLS Impacted by Inefficient DER Decoding in libtasn1 Leading to Remote DoS (medium)
https://access.redhat.com/security/cve/CVE-2024-12243
https://gitlab.com/gnutls/libtasn1/-/issues/52Fixed in:
V7.08.021 MBGID-21886
-
- ProFTPD:
-
CVE-2024-57392 - Buffer Overflow in ProFTPD (medium)
https://access.redhat.com/security/cve/CVE-2024-57392
https://github.com/proftpd/proftpd/commit/9b2b4a3e32d251798bf8fa841b124ab15ba58f11Fixed in:
V7.08.021 MBGID-21863Notice: This vulnerability has not yet been addressed in any release of the ProFTPD project. The ProFTPD version output in the LANTIME firmware version 7.08.021 is still 1.3.8, although the commit 9b2b4a3e32d251798bf8fa841b124ab15ba58f11 is included in the binary.
-
- less:
-
CVE-2024-32487 - OS command injection (low)
https://access.redhat.com/security/cve/cve-2024-32487Fixed in:
V7.08.021 MBGID-21117Notice: Since less can only be accessed by users with all rights, exploiting this vulnerability can “only” obfuscate the culprit.
-
- rsync:
-
CVE-2024-12084 - heap-based buffer overflow in rsync daemon (info)
https://access.redhat.com/security/cve/cve-2024-12084
CVE-2024-12085 - Info Leak via Uninitialized Stack Contents (high)
https://access.redhat.com/security/cve/cve-2024-12085
CVE-2024-12086 - rsync server leaks arbitrary client files (medium)
https://access.redhat.com/security/cve/CVE-2024-12086
CVE-2024-12087 - Path traversal vulnerability in rsync (medium)
https://access.redhat.com/security/cve/cve-2024-12087
CVE-2024-12088 - safe-links option bypass leads to path traversal (medium)
https://access.redhat.com/security/cve/cve-2024-12088
CVE-2024-12747 - Race Condition in rsync Handling Symbolic Links (medium)
https://access.redhat.com/security/cve/CVE-2024-12747Fixed in:
V7.08.021 MBGID-21695Notice: The CVE-2024-12084 vulnerability refers to the rsync deamon, which is not included in the LANTIME firmware.
-
- OpenSSL:
-
CVE-2024-13176 - Timing side-channel in ECDSA signature computation (low)
https://openssl-library.org/news/secadv/20250120.txtFixed in:
V7.08.021 MBGID-21800
-
- curl:
- Third-Party-Software:
-
Systems Affected
All LANTIME firmware versions before 7.08.021 are affected by the corresponding vulnerabilities. The LANTIME firmware is used by all devices of the LANTIME M series (M100, M150, M200, M250, M300, M320, M400, M450, M600, M900) as well as all devices of the LANTIME IMS series (M500, M1000, M1000S, M2000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000, SF1100, SF1200, SF1500) and LANTIME CPU Expansions (LCES).
Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the individual configuration, network infrastructure, and other factors, and it is therefore not possible to provide a general statement on how vulnerable a given system in use actually is.
-
Possible Security Measures
The relevant security updates are included in the LANTIME firmware versions 7.08.021(-light). Updating to these versions eliminates the listed vulnerabilities.
Download the latest LANTIME firmware at:
All updates are now available for Meinberg customers. An update of the LANTIME firmware to the version 7.08.021 respectively 7.08.021-light is recommended. Clients who cannot install version 7.08.021 should install version 7.08.021-light instead.
-
Further Information
Further details and information are available from the following website:
If you have any questions or need assistance, please, do not hesitate to contact Meinberg’s technical support team.
-
Acknowledgments
We would like to express our gratitude to all those who have advised us of vulnerabilities or other bugs, and have also suggested improvements to us.
Thank you!
