Privilage Escalation in IMS-LANTIME M3000

1) Privilage Escalation

EUVDB-ID: #VU57

Risk: High

CVSSv3.1: 7.3 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-3989

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute privilage escalation.

The vulnerability exists due to weak access controls, that allow for privilege escalation from “nobody” to “root” user. “nobody” has permissions to alter script that can only run as “root.”

Successful exploitation of this vulnerability may result in escalation to root privileges.

Mitigation

Meinberg has produced a new firmware Version 6.20.004.

Vulnerable software versions

IMS-LANTIME M1000: 6.0

IMS-LANTIME M500: 6.0

LANTIME M900 : 6.0

LANTIME M600 : 6.0

LANTIME M400: 6.0

LANTIME M200: 6.0

LANTIME M100: 6.0

SyncFire 1100: 6.0

LCES: 6.0

External links

http://ics-cert.us-cert.gov/advisories/ICSA-16-175-03

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.