CVE-2016-3989
published 2016-07-03CVE-2016-3989: The NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M300…
PriorityP357high8.1CVSS 3.0
AVNACLPRLUINSUCHIHAN
EXPLOIT
EPSS
5.09%
91.3th percentile
The NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M300, LANTIME M200, LANTIME M100, SyncFire 1100, and LCES devices with firmware before 6.20.004 allows remote authenticated users to obtain root privileges for writing to unspecified scripts, and consequently obtain sensitive information or modify data, by leveraging access to the nobody account.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| meinberg | ntp_server_firmware | <= 6.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandcp /mnt/flash/config/user_defined_notification /www/filetmp; echo "{rm,/tmp/foo};{mkfifo,/tmp/foo};/bin/bash/tmp/foo;" >> /www/filetmp↗
- →Detect oversized POST body to /cgi-bin/main: the exploit sends a 'button=' parameter padded with ~10028+ 'A' bytes, far exceeding any legitimate value, indicating a stack-based buffer overflow attempt. ↗
- →Alert on POST requests to /cgi-bin/main with Content-Type: application/x-www-form-urlencoded whose Content-Length exceeds ~10000 bytes, as the exploit payload is consistently above this threshold. ↗
- →Monitor for creation of or writes to /www/filetmp on Meinberg NTP appliances, as the exploit stages a reverse shell payload there. ↗
- →Detect mkfifo usage on /tmp/foo followed by /bin/bash reading from it, which is the reverse shell mechanism used by the exploit. ↗
- ·The exploit binary addresses (system, exit, some_str, stack_pivot, ROP gadgets) are hardcoded for firmware ELX800/GPS M4x V5.30p only; they will not be valid for other firmware versions or device models. ↗
- ·CVE-2016-3989 affects firmware versions 6.0 and earlier across all listed Meinberg device families; firmware 6.20.004 is the patched version. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.08.5HIGHAV:N/AC:L/Au:S/C:C/I:C/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qf6p-prwp-r624: The NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M3
ghsa_unreviewed·2022-05-17
CVE-2016-3989 [HIGH] GHSA-qf6p-prwp-r624: The NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M3
The NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M300, LANTIME M200, LANTIME M100, SyncFire 1100, and LCES devices with firmware before 6.20.004 allows remote authenticated users to obtain root privileges for writing to unspecified scripts, and consequently obtain sensitive information or modify data, by leveraging access to the nobody account.
CISA ICS
Meinberg NTP Time Server Vulnerabilities
cisa_ics·2018-08-23
Meinberg NTP Time Server Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Meinberg NTP Time Server Vulnerabilities
Last RevisedAugust 23, 2018
Alert CodeICSA-16-175-03
## OVERVIEW
Independent researcher Ryan Wincey has identified a stack buffer overflow vulnerability and a privilege escalation vulnerability in Meinberg’s NTP Time Servers Interface. Meinberg has produced a new Version 6.20.004 to mitigate these vulnerabilities. The researcher has validated the firmware update. He confirms the update fixes these vulnerabilities.
These vulnerabilities could be exploited remotely.
## AFFECTED PRODUCTS
The following Meinberg products are affected:
- IM
No detection rules found.
No writeups or analysis indexed.
2016-07-03
Published