News from 2023-03-23
Meinberg Security Advisory: [MBGSA-2023.02] LANTIME-Firmware V7.06.013
Meinberg recommends updating to LANTIME firmware version 7.06.013.
-
LANTIME firmware V7.06.011:
severity level critical(0), high (3), medium (4), low (1), unknown (3) -
LANTIME firmware V7.06.012:
severity level critical(0), high (0), medium (0), low (1), unknown (0)
- LANTIME firmware: V7.06.013
-
Description of the Vulnerabilities
- Third-party software:
- curl:
-
CVE-2022-43551 - Another HSTS bypass via IDN (high)
CVE-2022-43552 - HTTP Proxy deny use-after-free (medium)
CVE-2023-23914 - HSTS ignored on multiple requests (unknown)
CVE-2023-23915 - HSTS amnesia with –parallel (unknown)
CVE-2023-23916 - HTTP multi-header compression denial of service (unknown)https://curl.se/docs/security.html
Fixed in:
V7.06.012 MBGID-13207
-
CVE-2022-43551 - Another HSTS bypass via IDN (high)
- openssl:
-
CVE-2023-0286 - X.400 address type confusion in X.509 GeneralName (high)
CVE-2022-4304 - Timing Oracle in RSA Decryption (medium)
CVE-2023-0215 - Use-after-free following BIO_new_NDEF (medium)
CVE-2022-4450 - Double free after calling PEM_read_bio_ex (medium)https://www.openssl.org/news/secadv/20230207.txt
Fixed in:
V7.06.012 MBGID-13137
-
CVE-2023-0286 - X.400 address type confusion in X.509 GeneralName (high)
- libexpat:
-
CVE-2022-43680 - Fix heap use-after-free after overeager destruction of a shared DTD in function XML_ExternalEntityParserCreate in out-of-memory situations. (high)
https://github.com/libexpat/libexpat/blob/R_2_5_0/expat/Changes
Fixed in:
V7.06.012 MBGID-13174
-
CVE-2022-43680 - Fix heap use-after-free after overeager destruction of a shared DTD in function XML_ExternalEntityParserCreate in out-of-memory situations. (high)
- sudo:
-
CVE-2023-22809 - A flaw in sudo's -e option (aka sudoedit) exists that allows a malicious user with sudoedit privileges to edit arbitrary files. (low)
https://www.sudo.ws/security/advisories/sudoedit_any/
Fixed in:
V7.06.012 MBGID-13172Notice: Severity low, because only a super-user, that already has the highest privileges, can use sudo.
-
CVE-2023-22809 - A flaw in sudo's -e option (aka sudoedit) exists that allows a malicious user with sudoedit privileges to edit arbitrary files. (low)
- curl:
-
LTOS web interface
-
CVE-2023-1731 - The validation of the filename of the upload function was not correct (low)
The filename of the upload function was not correctly validated. Authenticated users with the highest privileges were able to use this vulnerability to execute code.
Many thanks to Noam Moshe of Claroty for reporting this vulnerability.
Fixed in:
V7.06.013 MBGID-13329Notice: Severity low, because only a super-user that already has the highest privileges, can exploit this vulnerability.
-
CVE-2023-1731 - The validation of the filename of the upload function was not correct (low)
- Third-party software:
-
Systems Affected
All LANTIME firmware versions before V7.06.013 are affected by the corresponding vulnerabilities. The LANTIME firmware is used by all devices of the LANTIME M series (M100, M150, M200, M250, M300, M320, M400, M450, M600, M900) as well as all devices of the LANTIME IMS series (M500, M1000, M1000S, M2000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000, SF1100, SF1200).
Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the individual configuration, network infrastructure, and other factors, and it is therefore not possible to provide a general statement on how vulnerable a given system in use actually is.
-
Possible Security Measures
The relevant security updates are included in the LANTIME firmware versions V7.06.013(-light). Updating to these versions eliminates the listed vulnerabilities.
Download the latest LANTIME firmware at:
All updates are now available for Meinberg customers. An update of the LANTIME firmware to the version 7.06.013 or 7.06.013-light respectively is recommended. Clients who cannot install version 7.06.013 should install V7.06.013-light instead.
-
Further Information
Further details and information are available from the following websites:
If you have any questions or need assistance, please, do not hesitate to contact Meinberg's technical support team.
-
Acknowledgments
We would like to express our gratitude to all those who have advised us of vulnerabilities or other bugs, and have also suggested improvements to us.
Thank you!