Meinberg Security Advisory [MBGSA-1701]: LTOS6 Web Interface

Jakub Palaczynski, an independent IT security researcher, reported three vulnerabilities concerning the web user interface of Meinberg devices running on LTOS6 firmware. These vulnerabilities have been fixed in the latest Meinberg stable LTOS6 firmware release 6.24.004 that is available as a free update for all Meinberg customers according to the Meinberg free lifetime security update approach.

Additionally we have received a bug report from Mr. Johannes Weber describing a problem with the “auto generate NTP keys” function of the webUI.

CVE-IDs: CVE-2017-16786 | CVE-2017-16787 | CVE-2017-16788

[1] Description of the problem:

CVE-2017-1678: Arbitrary File Read
Due to a misconfigured web server access control list, it was possible for an authenticated user to request the content of arbitrary files, including files that contained (encrypted) security relevant data.

CVE-2017-16787: Failure to restrict URL access (ex. Direct Object Reference)
HTTP/HTTPS requests allowed to directly access files inside the web server document root directory without authentication, allowing an attacker to read statistical data and statistical graphs without having to provide valid credentials.

CVE-2017-16788: Arbitrary File Upload
An authenticated user was able to upload arbitrary files and, by utilizing a missing parameter validation check, was able to place uploaded files in an arbitrary location using a path traversal method.

NO-CVE: Automatic NTP Key Generation Bug
When using the automatic NTP key generation functionality, older versions of the LTOS6 firmware appended newly created keys to the NTP keys file without checking if the key numbers have been already used in the same file, allowing the existing keys to still be used.

[2] Affected Systems:
This bug affects all LTOS6 firmware releases before 6.24.004, which is available for all Meinberg LANTIME M-Series devices (M100, M200, M300, M400, M600, M900) as well as all IMS Series devices (M500, M1000, M1000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000 / SF1100).

[3] Possible Defense Strategies:
All three vulnerabilities are fixed in firmware release 6.24.004 which is available as a free download for Meinberg customers on the company’s website.

Meinberg strongly recommends updating all affected systems as soon as possible.

[4] Additional Information Sources:

[5] Acknowledgements:
These three vulnerabilities have been reported by Jakub Palaczynski who worked closely with Meinberg to verify the issues and helped testing fixes. We also thank Mr. Johannes Weber for the error report on the automatic generation of NTP keys.

Thank you!