News from 2024-04-24
Meinberg Security Advisory: [MBGSA-2024.03] LANTIME-Firmware V7.08.010
Meinberg recommends updating to LANTIME firmware version 7.08.010.
-
LANTIME Firmware V7.08.009:
severity level critical(0), high (1), medium (5), low (3), info (2), unknown (0)
- LANTIME Firmware: V7.08.010
-
Description of the Vulnerabilities
- Third-Party-Software:
- curl:
-
CVE-2024-2466 - TLS certificate check bypass with mbedTLS (info - not affected)
https://curl.se/docs/CVE-2024-2466.htmlCVE-2024-2398 - HTTP/2 push headers memory-leak (medium)
https://curl.se/docs/CVE-2024-2398.htmlCVE-2024-2379 - QUIC certificate check bypass with wolf-SSL (info - not affected)
https://curl.se/docs/CVE-2024-2379.htmlCVE-2024-2004 - Usage of disabled protocol (low)
https://curl.se/docs/CVE-2024-2004.htmlFixed in:
V7.08.010 MBGID-17382
-
- linux-pam:
-
CVE-2024-22365 - pam_namespace: fixed potential local DoS (medium)
https://github.com/advisories/GHSA-pcmw-6hxc-hqmxFixed in:
V7.08.010 MBGID-17302
-
- gnutls:
-
CVE-2024-28834 - vulnerable to Minerva side-channel information leak (medium)
https://bugzilla.redhat.com/show_bug.cgi?id=2269228CVE-2024-28835 - potential crash during chain building/verification (medium)
https://bugzilla.redhat.com/show_bug.cgi?id=2269084Fixed in:
V7.08.010 MBGID-17286
-
- shadow:
-
CVE-2023-4641 - possible password leak during passwd(1) change (low)
https://access.redhat.com/security/cve/CVE-2023-4641Fixed in:
V7.08.010 MBGID-17013
-
- libxml2:
-
CVE-2024-25062 - xmlreader: Don’t expand XIncludes when backtracking (low)
https://gitlab.gnome.org/GNOME/libxml2/-/issues/604Fixed in:
V7.08.010 MBGID-16857
-
- expat:
-
CVE-2023-52426 - Fix issues for compilation with XML_DTD undefined (medium)
https://github.com/libexpat/libexpat/pull/777CVE-2023-52425 - Speed up parsing of big tokens (high)
https://github.com/libexpat/libexpat/pull/789Fixed in:
V7.08.010 MBGID-16856
-
- curl:
- Third-Party-Software:
-
Systems Affected
All LANTIME firmware versions before 7.08.010 are affected by the corresponding vulnerabilities. The LANTIME firmware is used by all devices of the LANTIME M series (M100, M150, M200, M250, M300, M320, M400, M450, M600, M900) as well as all devices of the LANTIME IMS series (M500, M1000, M1000S, M2000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000, SF1100, SF1200, SF1500) and LANTIME CPU Expansions (LCES).
Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the individual configuration, network infrastructure, and other factors, and it is therefore not possible to provide a general statement on how vulnerable a given system in use actually is.
-
Possible Security Measures
The relevant security updates are included in the LANTIME firmware versions 7.08.010(-light). Updating to these versions eliminates the listed vulnerabilities.
Download the latest LANTIME firmware at:
All updates are now available for Meinberg customers. An update of the LANTIME firmware to the version 7.08.010 respectively 7.08.010-light is recommended. Clients who cannot install version 7.08.010 should install version 7.08.010-light instead.
-
Further Information
Further details and information are available from the following website:
If you have any questions or need assistance, please, do not hesitate to contact Meinberg’s technical support team.
-
Acknowledgments
We would like to express our gratitude to all those who have advised us of vulnerabilities or other bugs, and have also suggested improvements to us.
Thank you!