Meinberg Clears NTP Time Server Issues

Thursday, June 23, 2016 @ 05:06 PM gHale


Meinberg created a new Version 6.20.004 to mitigate a stack buffer overflow vulnerability and a privilege escalation vulnerability in its NTP Time Servers Interface, according to a report on ICS-CERT.

Independent researcher Ryan Wincey, who discovered the vulnerabilities, validated the firmware update and confirmed the update fixes the remotely exploitable vulnerabilities.

RELATED STORIES
Unitronics Mitigates VisiLogic Hole
Rockwell Fixes Switch Vulnerability
Advantech Clears ActiveX Holes
Schneider Fixes XSS Vulnerability

The following Meinberg products suffer from the issues:
• IMS-LANTIME M3000 Version 6.0 and earlier
• IMS-LANTIME M1000 Version 6.0 and earlier
• IMS-LANTIME M500 Version 6.0 and earlier
• LANTIME M900 Version 6.0 and earlier
• LANTIME M600 Version 6.0 and earlier
• LANTIME M400 Version 6.0 and earlier
• LANTIME M300 Version 6.0 and earlier
• LANTIME M200 Version 6.0 and earlier
• LANTIME M100 Version 6.0 and earlier
• SyncFire 1100 Version 6.0 and earlier
• LCES Version 6.0 and earlier

Successful exploitation of these vulnerabilities could cause a buffer overflow condition that may allow escalation to root privileges.

Meinberg is a Germany-based company that maintains offices around the world, including North America, South America, Europe, Asia, Africa, and Australia.

The affected products are NTP Time Servers. IMS-LANTIME, LANTIME, SyncFire, and LCES Series see action across several sectors including communications, defense industrial base, energy, financial services, and transportation systems. Meinberg said these products see action on a global basis.

Remote stack buffer overflow vulnerability involving parsing of parameter in POST request in function provides privilege of web server “nobody.”

CVE-2016-3962 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

Remote stack buffer overflow vulnerability is present while parsing nine different parameters in POST request in function.

CVE-2016-3988 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

Weak access controls allow for privilege escalation from “nobody” to “root” user. “nobody” has permissions to alter script that can only run as “root.”

CVE-2016-3989 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.

Meinberg has produced a new firmware Version 6.20.004.