News from 2015-10-21


Meinberg Security Advisory: [MBGSA-1502] NTP Vulnerabilities, OpenSSL and OpenSSH Updates


The Public NTP Services Project (www.ntp.org) announced that the current versions of the reference implementation of NTP contain a number of security related bugs that affect all NTP 4.x versions before ntp-4.2.8p4 which has been released today.

The new LANTIME firmware release 6.18.007 includes NTP 4.2.8p4 and also updates the OpenSSL version to 1.0.2d, the latest available stable and secure SSL version. In addition to this, the OpenSSH version has also been updated to the latest stable version OpenSSH 7.1, fixing a number of vulnerabilities.


CVE-IDs:

[NTP]: CVE-2015-7871 CVE-2015-7855 CVE-2015-7854 CVE-2015-7853 CVE-2015-7852 CVE-2015-7851 CVE-2015-7850 CVE-2015-7849 CVE-2015-7848 CVE-2015-7701 CVE-2015-7703 CVE-2015-7704 CVE-2015-7691
(at the time this MBGSA is published, some of the above listed CVEs might not yet available from NVD)

Update: The NTP Installer for Windows has been updated and now installs NTP 4.2.8p4.

1. Description of the Problem

The version of the reference implementation of NTP installed on LANTIME firmware appliances contains several bugs that can cause security vulnerabilities.

The Network Time Foundation today announced the availability of the latest stable NTP version 4.2.8p4 which fixes 13 vulnerabilities detected rececently. As a member of the NTP Consortium of the Network Time Foundation, Meinberg received access to this release before the general public and included it in the latest stable LANTIME firmware version 6.18.007, available from today for both LANTIME and SyncFire products.

Details about the reported vulnerabilities can be found in the official NTP 4.2.8p4 Announcement.

2. Affected Systems

All LANTIME Firmware Versions before V6.18.007 are affected by these vulnerabilities.

3. Possible Defense Strategies

Meinberg Products

The fixes for all mentioned vulnerabilites are included in 6.18.007 which is available as of today.

Meinberg LANTIME Firmware Updates

For V5 versions and all V6 versions we strongly recommend to update to 6.18.007 as soon as possible. Please contact your Meinberg support for assistance or in case of questions.

Other NTP Installations

Please contact your OS vendor to find out how to protect your systems and how to update to ntp-4.2.8p4, if possible. If you are using our NTP Installer for Windows, you should download the latest version of the installer and upgrade your installations to 4.2.8p4 using the "Update Binaries Only" feature of the installer.

4. Additional Information Sources

More about this topic can be found on the following websites:

October 2015 Security Notice of the NTP Public Services Project
Attacking the Network Time Protocol Report from the Boston University team
Cisco Security Advisory

Please do not hesitate to reach out to your Meinberg support contact if you need further assistance or have additional questions.


Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact