News from 2023-01-24
Meinberg Security Advisory: [MBGSA-2023.01] Meinberg-LANTIME-Firmware V7.06.009 and V6.24.035
The LANTIME firmware versions 7.06.009 and 6.24.035 include security updates of various third party libraries and programs. The update V6.24.035 is the last planned update of the LTOS version 6.
It is strongly recommended to upgrade systems that have an installed version 6 to the version 7.06.009 or 7.06.009-light. Meinberg recommends generally updating to LANTIME firmware version 7.06.009.
Estimation of Severity up to and including
-
LANTIME firmware V7.06.007:
severity level critical(0), high (1), medium (0), low (2) -
LANTIME firmware V6.24.034:
severity level critical(0), high (1), medium (0), low (2)
Updated Versions:
- LANTIME firmware: V7.06.009
- LANTIME firmware: V6.24.035
-
Description of the Vulnerabilities
- Third-party software:
- curl:
-
CVE-2022-42915, CVE-2022-42916, CVE-2022-35252, CVE-2022-35260 - HSTS check not correct (high)
https://curl.se/docs/security.htmlFixed in: V7.06.008 MBGID-12415 and V6.24.035 MBGID-9531
Notice: The vulnerability CVE-2022-42915 occurs just if a proxy is used for a curl call with an included scheme dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet.
These schemes are not in use in the LTOS, automatically. The issue could only occur if curl is used manually via command line.
-
CVE-2022-42915, CVE-2022-42916, CVE-2022-35252, CVE-2022-35260 - HSTS check not correct (high)
- sudo:
-
CVE-2022-43995 - Heap-based buffer over-read or buffer overflow (low)
https://www.sudo.ws/releases/stable/Fixed in: V7.06.008 MBGID-12419 and V6.24.035 MBGID-9519
Notice: Severity low, because only a Super-User, that already has the highest privileges, can use sudo.
-
CVE-2022-43995 - Heap-based buffer over-read or buffer overflow (low)
- dbus:
-
CVE-2022-42012, CVE-2022-42011, CVE-2022-42010 - Manipulated messages can cause a crash (low)
https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12/NEWSFixed in: V7.06.008 MBGID-12298 and V6.24.035 MBGID-9518
Notice: Severity low, because only a Super-User, that already has the highest privileges, can use d-bus via console.
-
CVE-2022-42012, CVE-2022-42011, CVE-2022-42010 - Manipulated messages can cause a crash (low)
- curl:
-
Systems Affected
All LANTIME firmware versions before V7.06.008 or V6.24.035 respectively are affected by the corresponding vulnerabilities. The LANTIME firmware is used by all devices of the LANTIME M series (M100, M150, M200, M250, M300, M320, M400, M450, M600, M900) as well as all devices of the LANTIME IMS series (M500, M1000, M1000S, M2000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000, SF1100, SF1200).
Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the individual configuration, network infrastructure, and other factors, and it is therefore not possible to provide a general statement on how vulnerable a given system in use actually is.
-
Possible Security Measures
The relevant security updates are included in the LANTIME firmware versions V7.06.009(-light) and V6.24.035. Updating to these versions eliminates the listed vulnerabilities.
Download the latest LANTIME firmware at:
All updates are now available for Meinberg customers. An update of the LANTIME firmware to the version 7.06.009 respectively 7.06.009-light is recommended. Clients who cannot install version 7.06.009 should install V7.06.009-light instead.
-
Further Information
Further details and information are available from the following websites:
If you have any questions or need assistance, please, do not hesitate to contact Meinberg’s technical support team.
-
Acknowledgments
We would like to express our gratitude to all those who have advised us of vulnerabilities or other bugs, and have also suggested improvements to us.
Thank you! - Third-party software: