List of all published Meinberg Security Advisories.
2024-04-24Meinberg Security Advisory: [MBGSA-2024.03] LANTIME-Firmware V7.08.010
Details
The LANTIME firmware version 7.08.010 includes security updates of various third party libraries and programs.
Meinberg
recommends updating to LANTIME firmware version 7.08.010.
News Article Close
2024-02-27Meinberg Security Advisory: [MBGSA-2024.02] LANTIME-Firmware V7.08.009
Details
The LANTIME firmware version 7.08.009 includes security updates of various third party libraries and programs.
Meinberg
recommends updating to LANTIME firmware version 7.08.009.
News Article Close
2024-01-31Meinberg Security Advisory: [MBGSA-2024.01] LANTIME-Firmware V7.08.007
Details
The LANTIME firmware version 7.08.007 includes security updates of various third party libraries and programs.
Meinberg
recommends updating to LANTIME firmware version 7.08.007.
News Article Close
2023-10-26Meinberg Security Advisory: [MBGSA-2023.05] LANTIME-Firmware Version 7.08.004
Details
The LANTIME firmware version 7.08.004 includes security updates of various third party libraries and programs. In addition this update fixes further in this Advisory listed vulnerabilities of the LANTIME OS.
Meinberg
recommends updating to LANTIME firmware version 7.08.004.
News Article Close
2023-08-16Meinberg Security Advisory: [MBGSA-2023.04] LANTIME-Firmware V7.08.002
Details
The LANTIME firmware version 7.08.002 includes security updates of various third party libraries and programs.
In addition this update fixes further in this Advisory listed vulnerabilities of the LANTIME OS.
Meinberg
recommends updating to LANTIME firmware version 7.08.002.
News Article Close
2023-05-23Meinberg Security Advisory: [MBGSA-2023.03] LANTIME Firmware V7.06.014
Details
The LANTIME firmware version 7.06.014 includes security updates of various third party libraries and programs.
Meinberg
recommends updating to LANTIME firmware version 7.06.014.
News Article Close
2023-04-13Statement on NTP Vulnerabilities Reported on April 12, 2023
Details
Update 4/14/2023, 11:00 AM CEST: Please note that the
ntpq implementation in LTOS, meinbergOS, and NTP for Windows as distributed by Meinberg is affected by these vulnerabilities, but there is no risk as long as
ntpq is not used to manually query NTP servers over an insecure connection such as the internet. Meinberg devices running LTOS or meinbergOS do not query any remote server using
ntpq in any automated fashion.
If users must use
ntpq to query servers over such an insecure connection, the recommended workaround is to pass
-c raw to
ntpq.
For example, to query the list of peers using ntpq, enter:
ntpq -c raw -c peers
This ensures that the data returned by the
ntpd instance of the queried server is not formatted by
ntpq, thus bypassing the vulnerable function entirely.
Many thanks to Miroslav Lichvar for this tip.
LTOS and meinbergOS security updates will be issued and Meinberg's NTP for Windows package will be updated accordingly once the NTP Project has released its update.
Update 4/13/2023, 5:30 PM CEST: The Federal Office for Information Security (BSI) has lowered the classification to "medium" following a review of the report and has eliminated the risk of a remote attack in the process. Meinberg's own analysis has come to a similar conclusion that the vulnerabilities are non-critical and can be fixed quickly.
News Article Close
2023-03-23Meinberg Security Advisory: [MBGSA-2023.02] LANTIME-Firmware V7.06.013
Details
The LANTIME firmware version 7.06.013 includes security updates of various third party libraries and programs.
Meinberg
recommends updating to LANTIME firmware version 7.06.013.
News Article Close
2023-01-24Meinberg Security Advisory: [MBGSA-2023.01] Meinberg-LANTIME-Firmware V7.06.009 and V6.24.035
Details
The LANTIME firmware versions 7.06.009 and 6.24.035 include security updates of various third party libraries and programs. The update V6.24.035 is the last planned update of the LTOS version 6.
It is strongly recommended to upgrade systems that have an installed version 6 to the version 7.06.009 or 7.06.009-light. Meinberg recommends generally updating to LANTIME firmware version 7.06.009.
News Article Close
2022-10-19Meinberg Security Advisory: [MBGSA-2022.04] Meinberg-LANTIME-Firmware V7.06.007 and V6.24.034
Details
The LANTIME firmware versions 7.06.007 and 6.24.034 include security updates of the third party library
zlib and the program
rsync. Meinberg recommends updating to LANTIME firmware version 7.06.007.
News Article Close
2022-08-02Meinberg Security Advisory: [MBGSA-2022.03] Meinberg LANTIME Firmware V7.06.004 and V6.24.033
Details
The LANTIME Firmware Versions 7.06.004 and 6.24.033 include security updates of the third-party programs curl and openssl. In addition, a vulnerability has been fixed that allowed local user names to be determined.
Meinberg recommends updating to LANTIME Firmware Version 7.06.004.
News Article Close
2022-05-23Meinberg Security Advisory: [MBGSA-2022.02] Meinberg LANTIME Firmware V7.04.017 and V6.24.032
Details
The LANTIME Firmware Versions 7.04.017 and 6.24.032 include security updates for the OpenSSL and zlib libraries.
Meinberg recommends updating to LANTIME Firmware Version 7.04.017.
News Article Close
2022-04-05Meinberg Security Advisory: [MBGSA-2022.01] Meinberg-LANTIME-Firmware V7.04.015 and V6.24.030
Details
The LANTIME firmware versions 7.04.015 and 6.24.030 include security updates of the OpenSSL and Expat library. The 7.04.015 also includes changes to the LTOS REST API to fix the vulnerabilities mentioned in this advisory.
Meinberg recommends the update to LANTIME firmware version 7.04.015.
News Article Close
2021-12-13Meinberg LANTIME and microSync Systems not at Risk from Log4j Security Exploit
Details
In light of the higher than usual number of inquiries from our customers, we would like to inform all those concerned that no
LANTIME or
microSync product is affected by the zero-day vulnerability recently identified in the
Log4j Java library. There is therefore no need for any security-related measures for these Meinberg products.
News Article Close
2021-11-15Meinberg Security Advisory: [MBGSA-2021.03] Meinberg-LANTIME-Firmware V7.04.008 and V6.24.029
Details
The LANTIME Firmware versions 7.04.008 and 6.24.029 include updates to the kernel, software tools, and changes to the Meinberg LTOS Web Interface to fix the vulnerabilities mentioned in this advisory.
Meinberg recommends updating to LANTIME Firmware version 7.04.008.
News Article Close
2021-04-20Meinberg Security Advisory: [MBGSA-2021.02] Meinberg-LANTIME-Firmware V7.02.003 and V6.24.028
Details
LANTIME firmware versions 7.02.003 and 6.24.028 now include updates of OpenSSL, sudo and the Meinberg LTOS web interface to fix the vulnerabilities mentioned in this advisory.
Meinberg recommends the update to LANTIME firmware version 7.02.003.
News Article Close
2021-01-04Meinberg Security Advisory: [MBGSA-2021.01] Meinberg LANTIME firmware V7.00.014 and V6.24.027
Details
LANTIME firmware versions 7.00.014 and 6.24.027 now include an update of OpenSSL (1.1.1i) to fix the vulnerability mentioned in this advisory.
Meinberg recommends the update to LANTIME firmware version 7.00.014.
News Article Close
2020-08-10Meinberg Security Advisory: [MBGSA-2020.02] Meinberg-LANTIME-Firmware V7.00.010 and V6.24.026
Details
The LANTIME firmware versions 7.00.010 and 6.24.026 contain an update of the ntp software (ntp-4.2.8p15) due to a vulnerability found. Furthermore, this security advisory contains a summary of further fixed vulnerabilities of the last LTOS versions.
An update of the LANTIME firmware to the version 7.00.010 is recommended.
News Article Close
2020-01-30Meinberg Security Advisory: [MBGSA-2001] Meinberg-LANTIME-Firmware V7 and V6
Details
LANTIME Firmware Version 6.24.024 includes an update (e.g. back port) for the correction of security vulnerabilities which have already been corrected in LANTIME Firmware Version 7.00.002. In addition to the back ports, two new fixes are also included in V7.00.006 and V6.24.024.
News Article Close
2019-12-09Meinberg Security Advisory: [MBGSA-1904] SyncBox PTP/PTPv2
Details
The SyncBox/PTP and SyncBox/PTPv2 firmware was shipped with preconfigured SSH keys. For this reason, a tool has been developed to automatically regenerate SSH keys and remove old and authorized keys. Importing the tool using the update functionality regenerates all SSH host keys. Thus, the next time an SSH login attempt is made to a SyncBox, a warning message that the host key has changed appears.
News Article Close
2019-11-21Meinberg Security Advisory: [MBGSA-1903] Meinberg LANTIME Firmware V7
Details
An error in the initial generation of SSH keys in LANTIME firmware versions 7.00.001 to 7.00.003 has been detected and resolved. LANTIME firmware version 7.00.004 therefore includes a revised function for key generation. Updated or manually generated SSH keys are not affected. Some tools with vulnerabilities included have also been updated to the latest version.
News Article Close
2019-10-16Meinberg Security Advisory: [MBGSA-1902] Meinberg LANTIME Firmware V7
Details
Potential security problems were detected in LANTIME firmware version up to and including 6.24.023 and removed. Therefore, the LANTIME firmware version 7.00.002 contains a broad rework of the web interface, installed programs and provided services.
News Article Close
2019-03-18Meinberg Security Advisory: [MBGSA-1901] NTP and OpenSSL for LANTIME firmware and NTP for Windows
Details
Potential security problems were detected in NTP 4.2.8p12 as well as in OpenSSL 1.0.2q and removed. Therefore, the LANTIME firmware version 6.24.021 and NTP for Windows ntp-4.2.8p13 contain the latest NTP (4.2.8p13) and OpenSSL (1.0.2r) version.
News Article Close
2018-12-03Meinberg Security Advisory [MBGSA-1803]: OpenSSH and OpenSSL for LANTIME OS
Details
Several security vulnerabilities were detected in OpenSSH 7.4p1 as well as in OpenSSL 1.0.2p and removed. Therefore, the LANTIME firmware version 6.24.016 or later contains the latest OpenSSH and OpenSSL versions, in order to remove the security problems.
News Article Close
2018-09-27Meinberg Security Advisory [MBGSA-1802] NTP Critical rated and OpenSSL for LANTIME 6.24.015
Details
Recently, several security vulnerabilities were detected in NTP ntp-4.2p11 as well as in OpenSSL 1.0.2o and removed. Therefore, the LANTIME firmware version 6.24.015 contains the latest NTP and Open SSL versions, in order to remove the security problems.
News Article Close
2018-01-16Meinberg Security Advisory [MBGSA-1801]: Spectre and Meltdown
Details
A team of cybersecurity researchers found critical vulnerabilities in modern processors, allowing programs to access data of other processes and therefore potentially retrieve private information like access credentials, emails, instant messages or business data. According to processor manufacturers, most of the used CPUs in computers, mobile devices and embedded systems are affected.
News Article Close
2017-12-13Meinberg Security Advisory [MBGSA-1701]: LTOS6 Web Interface
Details
Jakub Palaczynski, an independent IT security researcher, reported three vulnerabilities concerning the web user interface of Meinberg devices running on LTOS6 firmware. These vulnerabilities have been fixed in the latest Meinberg stable LTOS6 firmware release 6.24.004 that is available as a free update for all Meinberg customers according to the Meinberg free lifetime security update approach.
Additionally we have received a bug report from Mr. Johannes Weber describing a problem with the “auto generate NTP keys” function of the webUI.
News Article Close
2016-12-15The Leap Second is Coming - Are You Ready?
Details
At the end of this month a leap second will be inserted. Time to check once more if your systems are ready for it.
News Article Close
2016-11-21Meinberg Security Advisory: [MBGSA-1605] NTP and others
Details
The
Network Time Foundation released a new version of NTP which addresses a number of security vulnerabilities. This new NTP version 4.2.8p9 has been included in the latest Meinberg LTOS6 release together with a number of other security fixes addressing vulnerabilities in the Linux kernel as well as OpenSSH and OpenSSL.
News Article Close
2016-08-05Leap Second 2016: Important Information for Meinberg Customers
Details
On July 6th, 2016 the IERS announced in their Bulletin C publication that a leap second will be inserted at the end of December. For users of NTP (and other time synchronization technologies) there are a number of things that should be checked in order to prepare for this event.
News Article Close
2016-06-28Meinberg Security Advisory: [MBGSA-1604] WebUI and NTP
Details
Independent researcher Ryan Wincey has identified security vulnerabilities in Meinberg's LTOS6 web user interface.
The issues have been reported to Meinberg by the security researcher, triggering immediate action on the vendors side. In close cooperation with Mr. Wincey the Meinberg software R&D team identified the problem and created a fix for it. Shortly afterwards the Network Time Foundation released NTP 4.2.8p8 fixing one high and four low severity vulnerabilities in the reference implementation of NTP.
News Article Close
2016-05-19Meinberg Security Advisory: [MBGSA-1603] OpenSSL
Details
The OpenSSL project published a security advisory on May 3rd, 2016 describing multiple vulnerabilities affecting OpenSSL 1.0.2g and older versions. LANTIME Firmware Version 6.18.017 therefore updates the OpenSSL version to 1.0.2h, the current stable version as recommended by the OpenSSL project.
News Article Close
2016-04-29Meinberg Security Advisory: [MBGSA-1602] NTP and OpenSSL
Details
The Public NTP Services Project (
www.ntp.org) announced that the current versions of the reference implementation of NTP contain a number of security related bugs that affect all NTP 4.x versions before ntp-4.2.8p7 which has been released this week. The new LANTIME firmware release 6.18.016 includes NTP 4.2.8p7.
The OpenSSL project announced that a security vulnerability exists in OpenSSL 1.0.2f and older versions. LANTIME Firmware Version 6.18.016 therefore also includes OpenSSL 1.0.2g to address these vulnerabilities.
News Article Close
2016-01-15Meinberg Security Advisory: [MBGSA-1601] NTP and OpenSSH
Details
The Public NTP Services Project (
www.ntp.org) announced that the current versions of the reference implementation of NTP contain a number of security related bugs that affect all NTP 4.x versions before ntp-4.2.8p5 which has been released this week. The new LANTIME firmware release 6.18.013 includes NTP 4.2.8p5.
The OpenSSH project announced that a security vulnerability exists in OpenSSH-7.1p1 and older versions. The Open SSH security vulnerability also known as "Triple Seven" does not concern the SSHd implementation of MEINBERG LANTIME systems, since the affected part of the program is not included.
News Article Close
2015-10-21Meinberg Security Advisory: [MBGSA-1502] NTP Vulnerabilities, OpenSSL and OpenSSH Updates
Details
The Public NTP Services Project (
www.ntp.org) announced that the current versions of the reference implementation of NTP contain a number of security related bugs that affect all NTP 4.x versions before ntp-4.2.8p4 which has been released today.
The new LANTIME firmware release 6.18.007 includes NTP 4.2.8p4 and also updates the OpenSSL version to 1.0.2d, the latest available stable and secure SSL version. In addition to this, the OpenSSH version has also been updated to the latest stable version OpenSSH 7.1, fixing a number of vulnerabilities.
News Article Close
2015-06-04Leapsecond 2015: Recommended Updates for LANTIME Products
Details
Meinberg carries out leapsecond tests on a regular basis and found out recently that the handling of leapsecond events by NTP is incorrect in some cases. On systems that are configured to use a leapsecond file and on which the leapsecond file is expired, an update is mandatory to ensure the proper handling of the upcoming leapsecond at the end of this month.
News Article Close
2015-03-25Leap Second 2015: Important Information for Meinberg Customers
Details
Early in 2015 the IERS announced in their Bulletin C publication that a leap second will be inserted at the end of June. For users of NTP (and other time synchronization technologies) there are a number of things that should be checked in order to prepare for this event.
News Article Close
2015-03-06Meinberg Security Advisory: [MBGSA-1501] NTP, OpenSSL and GLIBC Vulnerabilities
Details
The Public NTP Services Project (
www.ntp.org) announced recently that the current versions of the reference implementation of NTP contain a number of security related bugs that affect all NTP 4.x versions.
The OpenSSL project released OpenSSL Version 0.9.8ze to address a number of vulnerabilities.
In addition, Qualsys and others released security advisories regarding a vulnerability in the GNU C library (glibc) and another vulnerability in glibc was published on Feb 24, 2015 by US-CERT.
News Article Close
2014-12-22Meinberg Security Advisory: [MBGSA-1405] Multiple NTP Vulnerabilities
Details
The Public NTP Services Project (
www.ntp.org) announced on Dec 19th that the current versions of the reference implementation of NTP contain a number of security related bugs that affect all NTP 4.x versions.
News Article Close
2014-10-02Meinberg Security Advisory: [MBGSA-1404] LANTIME Web Interface Cross Site Scripting Vulnerability
Details
The National Cybersecurity and Communcations Integrations Center (NCCIC) received a report from a Meinberg customer that the web user interface of Meinberg LANTIME network timeserver products is vulnerable against so-called cross-site-scripting (XSS) attacks.
News Article Close
2014-10-01Meinberg Security Advisory: [MBGSA-1403] GNU Bash Environmental Variable Command Injection Vulnerability
Details
Multiple vulnerabilities in the GNU Bash commandline shell allow the unauthorized execution of arbitrary shell commands by crafting a special definition of a shell environment variable and/or shell function. The BASH versions used in Meinberg LANTIME V4.x, V5.x and V6.x firmware versions are affected.
News Article Close
2014-06-10Meinberg Security Advisory: [MBGSA-1402] Multiple OpenSSL Vulnerabilities
Details
The OpenSSL vulnerabilities recently published by the OpenSSL project as well as the so-called Heartbleed bug in the SSL libraries have been fixed for LANTIME firmware versions V5 and V6. The latest firmware releases contain the patched OpenSSL library version 0.9.8za and can be requested by customers using the Meinberg LANTIME firmware request web page.
News Article Close
2014-01-09Meinberg Security Advisory: [MBGSA-1401] NTP Monlist Network Traffic Amplification Attacks
Details
A number of reports has been published recently, describing an increased level of abuse of the NTP "monlist" feature that is supported by NTP versions up to 4.2.7p26 and can affect Meinberg LANTIME products as well. Protecting your NTP servers against this abuse is relatively easy and can be achieved with a simple configuration change.
News Article Close