News from 2015-10-21
Meinberg Security Advisory: [MBGSA-1502] NTP Vulnerabilities, OpenSSL and OpenSSH Updates
The new LANTIME firmware release 6.18.007 includes NTP 4.2.8p4 and also updates the OpenSSL version to 1.0.2d, the latest available stable and secure SSL version. In addition to this, the OpenSSH version has also been updated to the latest stable version OpenSSH 7.1, fixing a number of vulnerabilities.
CVE-IDs:
[NTP]:
CVE-2015-7871
CVE-2015-7855
CVE-2015-7854
CVE-2015-7853
CVE-2015-7852
CVE-2015-7851
CVE-2015-7850
CVE-2015-7849
CVE-2015-7848
CVE-2015-7701
CVE-2015-7703
CVE-2015-7704
CVE-2015-7691
(at the time this MBGSA is published, some of the above listed CVEs might not yet available from NVD)
Update: The NTP Installer for Windows has been updated and now installs NTP 4.2.8p4.
1. Description of the Problem
The version of the reference implementation of NTP installed on LANTIME firmware appliances contains several bugs that can cause security vulnerabilities.The Network Time Foundation today announced the availability of the latest stable NTP version 4.2.8p4 which fixes 13 vulnerabilities detected rececently. As a member of the NTP Consortium of the Network Time Foundation, Meinberg received access to this release before the general public and included it in the latest stable LANTIME firmware version 6.18.007, available from today for both LANTIME and SyncFire products.
Details about the reported vulnerabilities can be found in the official NTP 4.2.8p4 Announcement.
2. Affected Systems
All LANTIME Firmware Versions before V6.18.007 are affected by these vulnerabilities.
3. Possible Defense Strategies
Meinberg Products
The fixes for all mentioned vulnerabilites are included in 6.18.007 which is available as of today.
Meinberg LANTIME Firmware Updates
For V5 versions and all V6 versions we strongly recommend to update to 6.18.007 as soon as possible. Please contact your Meinberg support for assistance or in case of questions.
Other NTP Installations
Please contact your OS vendor to find out how to protect your systems and how to update to ntp-4.2.8p4, if possible. If you are using our NTP Installer for Windows, you should download the latest version of the installer and upgrade your installations to 4.2.8p4 using the "Update Binaries Only" feature of the installer.
4. Additional Information Sources
More about this topic can be found on the following websites:
October 2015 Security Notice of the NTP Public Services Project
Attacking the Network Time Protocol Report from the Boston University team
Cisco Security Advisory
Please do not hesitate to reach out to your Meinberg support contact if you need further assistance or have additional questions.