CVE-2017-16786 — MEDIUM (6.5)

Q: How severe is CVE-2017-16786?

CVE-2017-16786 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-16786?

Check the references section above for vendor advisories and patch information. Affected products include: Meinbergglobal Lantime Firmware, Meinbergglobal Lantime M100, Meinbergglobal Lantime M1000, Meinbergglobal Lantime M200, Meinbergglobal Lantime M300.

Vulnerability Description

The Web Configuration Utility in Meinberg LANTIME devices with firmware before 6.24.004 allows remote authenticated users with certain privileges to read arbitrary files via (1) the ntpclientcounterlogfile parameter to cgi-bin/mainv2 or (2) vectors involving curl support of the "file" schema in the firmware update functionality.

CVSS Score

6.5

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Meinbergglobal	Lantime Firmware	<= 6.24.003
Meinbergglobal	Lantime M100	-
Meinbergglobal	Lantime M1000	-
Meinbergglobal	Lantime M200	-
Meinbergglobal	Lantime M300	-
Meinbergglobal	Lantime M3000	-
Meinbergglobal	Lantime M400	-
Meinbergglobal	Lantime M500	-
Meinbergglobal	Lantime M600	-
Meinbergglobal	Lantime M900	-

Related Weaknesses (CWE)

CWE-200

References

http://packetstormsecurity.com/files/145388/Meinberg-LANTIME-Web-Configuration-UIssue TrackingThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2017/Dec/50Issue TrackingMailing ListThird Party Advisory
http://packetstormsecurity.com/files/145388/Meinberg-LANTIME-Web-Configuration-UIssue TrackingThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2017/Dec/50Issue TrackingMailing ListThird Party Advisory

FAQ

What is CVE-2017-16786?

CVE-2017-16786 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Web Configuration Utility in Meinberg LANTIME devices with firmware before 6.24.004 allows remote authenticated users with certain privileges to read arbitrary files via (1) the ntpclientcounterlo...

How severe is CVE-2017-16786?

CVE-2017-16786 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-16786?

Check the references section above for vendor advisories and patch information. Affected products include: Meinbergglobal Lantime Firmware, Meinbergglobal Lantime M100, Meinbergglobal Lantime M1000, Meinbergglobal Lantime M200, Meinbergglobal Lantime M300.