Sign-up

ID

VAR-201607-0012


CVE

CVE-2016-3989


TITLE

plural Meinberg Runs on device firmware NTP Time Server Write to unspecified script in the interface root Privileged vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-003490

DESCRIPTION

The NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M300, LANTIME M200, LANTIME M100, SyncFire 1100, and LCES devices with firmware before 6.20.004 allows remote authenticated users to obtain root privileges for writing to unspecified scripts, and consequently obtain sensitive information or modify data, by leveraging access to the nobody account. Meinberg NTP Time Server is prone to multiple privilege-escalation and stack-based buffer-overflow vulnerabilities. Remote attackers can exploit these issues to execute arbitrary code in the context of the application or gain elevated privileges. Other attacks are also possible. The following products are affected : Meinberg IMS-LANTIME M3000 Version 6.0 and prior Meinberg IMS-LANTIME M1000 Version 6.0 and prior Meinberg IMS-LANTIME M500 Version 6.0 and prior Meinberg LANTIME M900 Version 6.0 and prior Meinberg LANTIME M600 Version 6.0 and prior Meinberg LANTIME M400 Version 6.0 and prior Meinberg LANTIME M300 Version 6.0 and prior Meinberg LANTIME M200 Version 6.0 and prior Meinberg LANTIME M100 Version 6.0 and prior Meinberg SyncFire 1100 Version 6.0 and prior Meinberg LCES Version 6.0 and prior. Meinberg IMS-LANTIME M3000 etc. are all NTP time servers of German Meinberg company. An elevation of privilege vulnerability exists in the NTP time-server interface of several Meinberg products

Trust: 1.98

sources: NVD: CVE-2016-3989 // JVNDB: JVNDB-2016-003490 // BID: 91400 // VULHUB: VHN-92808

AFFECTED PRODUCTS

vendor:meinbergmodel:lcesscope:eqversion: -

Trust: 1.0

vendor:meinbergmodel:lantime m100scope:eqversion: -

Trust: 1.0

vendor:meinbergmodel:lantime m200scope:eqversion: -

Trust: 1.0

vendor:meinbergmodel:ims-lantime m3000scope:eqversion: -

Trust: 1.0

vendor:meinbergmodel:lantime m300scope:eqversion: -

Trust: 1.0

vendor:meinbergmodel:ntp serverscope:lteversion:6.0

Trust: 1.0

vendor:meinbergmodel:ims-lantime m1000scope:eqversion: -

Trust: 1.0

vendor:meinbergmodel:lantime m400scope:eqversion: -

Trust: 1.0

vendor:meinbergmodel:lantime m600scope:eqversion: -

Trust: 1.0

vendor:meinbergmodel:syncfire 1100scope:eqversion: -

Trust: 1.0

vendor:meinbergmodel:ims-lantime m500scope:eqversion: -

Trust: 1.0

vendor:meinbergmodel:lantime m900scope:eqversion: -

Trust: 1.0

vendor:meinberg funkuhrenmodel:ims-lantime m1000scope: - version: -

Trust: 0.8

vendor:meinberg funkuhrenmodel:ims-lantime m3000scope: - version: -

Trust: 0.8

vendor:meinberg funkuhrenmodel:ims-lantime m500scope: - version: -

Trust: 0.8

vendor:meinberg funkuhrenmodel:lantime m100scope: - version: -

Trust: 0.8

vendor:meinberg funkuhrenmodel:lantime m200scope: - version: -

Trust: 0.8

vendor:meinberg funkuhrenmodel:lantime m300scope: - version: -

Trust: 0.8

vendor:meinberg funkuhrenmodel:lantime m400scope: - version: -

Trust: 0.8

vendor:meinberg funkuhrenmodel:lantime m600scope: - version: -

Trust: 0.8

vendor:meinberg funkuhrenmodel:lantime m900scope: - version: -

Trust: 0.8

vendor:meinberg funkuhrenmodel:lcesscope: - version: -

Trust: 0.8

vendor:meinberg funkuhrenmodel:ntp serverscope:ltversion:6.20.004

Trust: 0.8

vendor:meinberg funkuhrenmodel:syncfire 1100scope: - version: -

Trust: 0.8

vendor:meinbergmodel:ntp serverscope:eqversion:6.0

Trust: 0.6

sources: JVNDB: JVNDB-2016-003490 // CNNVD: CNNVD-201606-553 // NVD: CVE-2016-3989

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-3989
value: HIGH

Trust: 1.0

NVD: CVE-2016-3989
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201606-553
value: HIGH

Trust: 0.6

VULHUB: VHN-92808
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2016-3989
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-92808
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-3989
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 5.2
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-92808 // JVNDB: JVNDB-2016-003490 // CNNVD: CNNVD-201606-553 // NVD: CVE-2016-3989

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-92808 // JVNDB: JVNDB-2016-003490 // NVD: CVE-2016-3989

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201606-553

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201606-553

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-003490

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-92808

PATCH
title:Meinberg Security Advisory: [MBGSA-1604] WebUI and NTPurl:https://www.meinbergglobal.com/english/news/meinberg-security-advisory-mbgsa-1604-webui-and-ntp.htm
Trust: 0.8
title:Multiple Meinberg Repair measures for product privilege vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=62469
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-003490 // 
            
            
            
            CNNVD: CNNVD-201606-553

EXTERNAL IDS
db:NVDid:CVE-2016-3989
Trust: 2.8
db:ICS CERTid:ICSA-16-175-03
Trust: 2.5
db:EXPLOIT-DBid:40120
Trust: 1.1
db:JVNDBid:JVNDB-2016-003490
Trust: 0.8
db:CNNVDid:CNNVD-201606-553
Trust: 0.7
db:BIDid:91400
Trust: 0.3
db:VULHUBid:VHN-92808
Trust: 0.1
sources:
            
            
            VULHUB: VHN-92808 // 
            
            
            
            BID: 91400 // 
            
            
            
            JVNDB: JVNDB-2016-003490 // 
            
            
            
            CNNVD: CNNVD-201606-553 // 
            
            
            
            NVD: CVE-2016-3989

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-16-175-03
Trust: 2.5
url:https://www.exploit-db.com/exploits/40120/
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-3989
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-3989
Trust: 0.8
sources:
            
            
            VULHUB: VHN-92808 // 
            
            
            
            JVNDB: JVNDB-2016-003490 // 
            
            
            
            CNNVD: CNNVD-201606-553 // 
            
            
            
            NVD: CVE-2016-3989

CREDITS
Ryan Wincey
Trust: 0.3
sources:
            
            
            BID: 91400

SOURCES
db:VULHUBid:VHN-92808
db:BIDid:91400
db:JVNDBid:JVNDB-2016-003490
db:CNNVDid:CNNVD-201606-553
db:NVDid:CVE-2016-3989

LAST UPDATE DATE
2025-04-13T23:02:54.632000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-92808date:2017-09-03T00:00:00
db:BIDid:91400date:2016-06-23T00:00:00
db:JVNDBid:JVNDB-2016-003490date:2016-07-11T00:00:00
db:CNNVDid:CNNVD-201606-553date:2016-07-04T00:00:00
db:NVDid:CVE-2016-3989date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-92808date:2016-07-03T00:00:00
db:BIDid:91400date:2016-06-23T00:00:00
db:JVNDBid:JVNDB-2016-003490date:2016-07-11T00:00:00
db:CNNVDid:CNNVD-201606-553date:2016-06-24T00:00:00
db:NVDid:CVE-2016-3989date:2016-07-03T14:59:05.523