Meinberg created a firmware update that mitigates a reflected cross site scripting vulnerability in its Radio Clocks GmbH & Co. KG LANTIME M400 web interface, according to a report on ICS-CERT.
Martem Telecontrol Systems security researcher Aivar Liimets, who discovered the vulnerability, tested the firmware update to validate it resolves the remotely exploitable vulnerability.
LANTIME M-Series models: V6.15.019 and prior suffer from the issue.
The reflected cross-site scripting vulnerability could cause the time server to provide misinformation to devices.
Meinberg Radio Clocks GmbH & Co. KG is an international provider of electronic modules, based in Bad Pyremont, Germany.
The affected products, the LANTIME M-Series, are NTP Servers. The Meinberg NTP Servers see action across several sectors including commercial facilities, communications, energy, financial services, and transportation systems. Meinberg said these products see use primarily in the United States and Europe.
The web interface for LANTIME M-Series contains a flaw that allows a reflected cross-site scripting vulnerability.
CVE-2014-5417 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.
Meinberg’s firmware update, Version 6.15.020, resolves this vulnerability.
Contact Meinberg customer service for information on how to download and install the firmware update, or click here to obtain the update.