News from 2023-10-26
Meinberg Security Advisory: [MBGSA-2023.05] LANTIME-Firmware Version 7.08.004
Meinberg recommends updating to LANTIME firmware version 7.08.004.
-
LANTIME firmware version 7.08.003:
severity level critical(0), high (1), medium (0), low (1), info (0), unknown (0) -
LANTIME firmware version 7.08.002:
severity level critical(0), high (1), medium (1), low (4), info (1), unknown (0)
- LANTIME firmware: version 7.08.004
-
Description of the Vulnerabilities
- Third-party software:
- OpenSSL:
-
CVE-2023-3817 - Excessive time spent checking DH q parameter value (low)
https://www.openssl.org/news/secadv/20230731.txt
CVE-2023-3446 - Fix DH_check() excessive time with over sized modulus (low)
https://www.openssl.org/news/secadv/20230719.txtFixed in:
7.08.003 MBGID-15269
-
CVE-2023-3817 - Excessive time spent checking DH q parameter value (low)
- curl:
-
CVE-2023-38039 - HTTP headers eat all memory (medium)
https://curl.se/docs/CVE-2023-38039.html
CVE-2023-32001 - fopen race condition (info)
https://curl.se/docs/CVE-2023-32001.htmlFixed in:
7.08.003 MBGID-15024 -
CVE-2023-38545 - SOCKS5 heap buffer overflow (high)
https://curl.se/docs/CVE-2023-38545.html
CVE-2023-38546 - cookie injection with none file (low)
https://curl.se/docs/CVE-2023-38546.htmlFixed in:
7.08.004 MBGID-15701
-
CVE-2023-38039 - HTTP headers eat all memory (medium)
- OpenSSL:
-
System configuration:
-
NOCVE - Boot Prompt (low)
The boot-loader waited five seconds for input during boot.
Fixed in:
7.08.003 MBGID-15486
-
NOCVE - Boot Prompt (low)
- Third-party software:
-
Systems Affected
All LANTIME firmware versions before version 7.08.004 are affected by the corresponding vulnerabilities. The LANTIME firmware is used by all devices of the LANTIME M series (M100, M150, M200, M250, M300, M320, M400, M450, M600, M900) as well as all devices of the LANTIME IMS series (M500, M1000, M1000S, M2000S, M3000, M3000S, M4000) and the SyncFire product family (SF1000, SF1100, SF1200, SF1500).
Whether and to what extent individual clients or LANTIME systems are vulnerable depends on the individual configuration, network infrastructure, and other factors, and it is therefore not possible to provide a general statement on how vulnerable a given system in use actually is.
-
Possible Security Measures
The relevant security updates are included in the LANTIME firmware version 7.08.004(-light). Updating to these version eliminates the listed vulnerabilities.
Download the latest LANTIME firmware at:
All updates are now available for Meinberg customers. An update of the LANTIME firmware to the version 7.08.004 respectively 7.08.004-light is recommended. Clients who cannot install version 7.08.004 should install 7.08.004-light instead.
-
Further Information
Further details and information are available from the following websites:
If you have any questions or need assistance, please, do not hesitate to contact Meinberg’s technical support team.
-
Acknowledgments
We would like to express our gratitude to all those who have advised us of vulnerabilities or other bugs, and have also suggested improvements to us.
Thank you!