Meinberg Security Advisory: [MBGSA-2025.06] LANTIME-Firmware V7.10.004

Description of the Vulnerabilities

• Third-Party-Software:
  • OpenSSL:
    • CVE-2025-9230 - Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap. (medium)
      
    • CVE-2025-9231 - Fix Timing side-channel in SM2 algorithm on 64-bit ARM. (info)
      
    • CVE-2025-9232 - Fix Out-of-bounds read in HTTP client no_proxy handling. (low)
      

    https://openssl-library.org/news/vulnerabilities/index.html

    Fixed in:
    V7.10.004 MBGID-27569

    Notice:
    The LANTIME and SyncFire devices are not ARM platforms. Therefore CVE-2025-9231 is not applicable to LANTIME and SyncFire devices.

  • libexpat:
    • CVE-2025-59375 - Start tracking and limiting use of dynamic memory (high)

    https://github.com/libexpat/libexpat/pull/1034
    https://nvd.nist.gov/vuln/detail/CVE-2025-59375

    Fixed in:
    V7.10.004 MBGID-27412

  • libcurl:
    • CVE-2025-10148 - predictable WebSocket mask (low)
    • CVE-2025-9086 - Out of bounds read for cookie path (low)

    https://curl.se/docs/security.html

    Fixed in:
    V7.10.004 MBGID-27411

  • libssh:
    • CVE-2025-8114 - NULL Pointer Dereference in libssh KEX Session ID Calculation (medium)

    https://access.redhat.com/security/cve/cve-2025-8114

    Fixed in:
    V7.10.004 MBGID-27410

  • libxml2:
    • CVE-2025-49794 - Heap use after free (UAF) leads to Denial of service (DoS) (high)
      https://access.redhat.com/security/cve/cve-2025-49794
    • CVE-2025-49795 - Null pointer dereference leads to Denial of service (DoS) (high)
      https://access.redhat.com/security/cve/cve-2025-49795
    • CVE-2025-49796 - Type confusion leads to Denial of service (DoS) (high)
      https://access.redhat.com/security/cve/cve-2025-49796
    • CVE-2025-6170 - Stack Buffer Overflow in xmllint Interactive Shell Command Handling (info)
      https://access.redhat.com/security/cve/cve-2025-6170
    • CVE-2025-6021 - Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2 (medium)
      https://access.redhat.com/security/cve/cve-2025-6021

    Fixed in:
    V7.10.004 MBGID-27409

    Notice:
    The xml2 library is only used with the IEC61850 daemon ltmms, which is not enabled in the factory default configuration and must be manually enabled before it is used. The command line tool xmllint is not included in LTOS; LTOS is accordingly not affected by the vulnerability CVE-2025-6170.

Systems Affected

All LANTIME firmware versions before 7.10.004 are affected by the corresponding vulnerabilities. The LANTIME firmware is used by all devices of the LANTIME M series (M100, M150, M200, M250, M300, M320, M400, M450, M600, M900) as well as all devices of the LANTIME IMS series (M500, M1000, M1000S, M2000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000, SF1100, SF1200, SF1500) and LANTIME CPU Expansions (LCES).

Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the individual configuration, network infrastructure, and other factors, and it is therefore not possible to provide a general statement on how vulnerable a given system in use actually is.

Possible Security Measures

The relevant security updates are included in the LANTIME firmware versions 7.10.004. Updating to these versions eliminates the listed vulnerabilities. Download the latest LANTIME firmware at:

Download the latest LANTIME firmware at:

• Meinberg LANTIME Firmware

All updates are now available for Meinberg customers. An update of the LANTIME firmware to the version 7.10.004 is recommended.

Further Information

Further details and information are available from the following website:

• LANTIME Firmware Changelog: LTOS 7.10

If you have any questions or need assistance, please, do not hesitate to contact Meinberg’s Technical Support team.

Acknowledgments

We would like to express our gratitude to all those who have advised us of vulnerabilities or other bugs, and have also suggested improvements to us.

Thank you!