1--- 2 |
3NTP 4.2.8p6 4 5Focus: Security, Bug fixes, enhancements. 6 7Severity: MEDIUM 8 9In addition to bug fixes and enhancements, this release fixes the 10following X low- and Y medium-severity vulnerabilities: 11 12* Potential Infinite Loop in 'ntpq' 13 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 14 References: Sec 2548 / CVE-2015-8158 15 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 16 4.3.0 up to, but not including 4.3.90 17 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 18 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 19 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 20 The loop's only stopping conditions are receiving a complete and 21 correct response or hitting a small number of error conditions. 22 If the packet contains incorrect values that don't trigger one of 23 the error conditions, the loop continues to receive new packets. 24 Note well, this is an attack against an instance of 'ntpq', not 25 'ntpd', and this attack requires the attacker to do one of the 26 following: 27 * Own a malicious NTP server that the client trusts 28 * Prevent a legitimate NTP server from sending packets to 29 the 'ntpq' client 30 * MITM the 'ntpq' communications between the 'ntpq' client 31 and the NTP server 32 Mitigation: 33 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 34 or the NTP Public Services Project Download Page 35 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 36 37* 0rigin: Zero Origin Timestamp Bypass 38 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 39 References: Sec 2945 / CVE-2015-8138 40 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 41 4.3.0 up to, but not including 4.3.90 42 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 43 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 44 (3.7 - LOW if you score AC:L) 45 Summary: To distinguish legitimate peer responses from forgeries, a 46 client attempts to verify a response packet by ensuring that the 47 origin timestamp in the packet matches the origin timestamp it 48 transmitted in its last request. A logic error exists that 49 allows packets with an origin timestamp of zero to bypass this 50 check whenever there is not an outstanding request to the server. 51 Mitigation: 52 Configure 'ntpd' to get time from multiple sources. 53 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 54 or the NTP Public Services Project Download Page. 55 Monitor your 'ntpd= instances. 56 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 57 58* Stack exhaustion in recursive traversal of restriction list 59 Date Resolved: Stable (4.2.8p6) 19 Jan 2016 60 References: Sec 2940 / CVE-2015-7978 61 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 62 4.3.0 up to, but not including 4.3.90 63 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 64 Summary: An unauthenticated 'ntpdc reslist' command can cause a 65 segmentation fault in ntpd by exhausting the call stack. 66 Mitigation: 67 Implement BCP-38. 68 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 69 or the NTP Public Services Project Download Page. 70 If you are unable to upgrade: 71 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 72 If you must enable mode 7: 73 configure the use of a 'requestkey' to control who can 74 issue mode 7 requests. 75 configure 'restrict noquery' to further limit mode 7 76 requests to trusted sources. 77 Monitor your ntpd instances. 78 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 79 80* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 81 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 82 References: Sec 2942 / CVE-2015-7979 83 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 84 4.3.0 up to, but not including 4.3.90 85 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 86 Summary: An off-path attacker can send broadcast packets with bad 87 authentication (wrong key, mismatched key, incorrect MAC, etc) 88 to broadcast clients. It is observed that the broadcast client 89 tears down the association with the broadcast server upon 90 receiving just one bad packet. 91 Mitigation: 92 Implement BCP-38. 93 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 94 or the NTP Public Services Project Download Page. 95 Monitor your 'ntpd' instances. 96 If this sort of attack is an active problem for you, you have 97 deeper problems to investigate. In this case also consider 98 having smaller NTP broadcast domains. 99 Credit: This weakness was discovered by Aanchal Malhotra of Boston 100 University. 101 102* reslist NULL pointer dereference 103 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 104 References: Sec 2939 / CVE-2015-7977 105 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 106 4.3.0 up to, but not including 4.3.90 107 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 108 Summary: An unauthenticated 'ntpdc reslist' command can cause a 109 segmentation fault in ntpd by causing a NULL pointer dereference. 110 Mitigation: 111 Implement BCP-38. 112 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 113 the NTP Public Services Project Download Page. 114 If you are unable to upgrade: 115 mode 7 is disabled by default. Don't enable it. 116 If you must enable mode 7: 117 configure the use of a 'requestkey' to control who can 118 issue mode 7 requests. 119 configure 'restrict noquery' to further limit mode 7 120 requests to trusted sources. 121 Monitor your ntpd instances. 122 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 123 124* 'ntpq saveconfig' command allows dangerous characters in filenames. 125 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 126 References: Sec 2938 / CVE-2015-7976 127 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 128 4.3.0 up to, but not including 4.3.90 129 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 130 Summary: The ntpq saveconfig command does not do adequate filtering 131 of special characters from the supplied filename. 132 Note well: The ability to use the saveconfig command is controlled 133 by the 'restrict nomodify' directive, and the recommended default 134 configuration is to disable this capability. If the ability to 135 execute a 'saveconfig' is required, it can easily (and should) be 136 limited and restricted to a known small number of IP addresses. 137 Mitigation: 138 Implement BCP-38. 139 use 'restrict default nomodify' in your 'ntp.conf' file. 140 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 141 If you are unable to upgrade: 142 build NTP with 'configure --disable-saveconfig' if you will 143 never need this capability, or 144 use 'restrict default nomodify' in your 'ntp.conf' file. Be 145 careful about what IPs have the ability to send 'modify' 146 requests to 'ntpd'. 147 Monitor your ntpd instances. 148 'saveconfig' requests are logged to syslog - monitor your syslog files. 149 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 150 151* nextvar() missing length check in ntpq 152 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 153 References: Sec 2937 / CVE-2015-7975 154 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 155 4.3.0 up to, but not including 4.3.90 156 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 157 If you score A:C, this becomes 4.0. 158 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 159 Summary: ntpq may call nextvar() which executes a memcpy() into the 160 name buffer without a proper length check against its maximum 161 length of 256 bytes. Note well that we're taking about ntpq here. 162 The usual worst-case effect of this vulnerability is that the 163 specific instance of ntpq will crash and the person or process 164 that did this will have stopped themselves. 165 Mitigation: 166 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 167 or the NTP Public Services Project Download Page. 168 If you are unable to upgrade: 169 If you have scripts that feed input to ntpq make sure there are 170 some sanity checks on the input received from the "outside". 171 This is potentially more dangerous if ntpq is run as root. 172 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 173 174* Skeleton Key: Any trusted key system can serve time 175 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 176 References: Sec 2936 / CVE-2015-7974 177 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 178 4.3.0 up to, but not including 4.3.90 179 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 180 Summary: Symmetric key encryption uses a shared trusted key. The 181 reported title for this issue was "Missing key check allows 182 impersonation between authenticated peers" and the report claimed 183 "A key specified only for one server should only work to 184 authenticate that server, other trusted keys should be refused." 185 Except there has never been any correlation between this trusted 186 key and server v. clients machines and there has never been any 187 way to specify a key only for one server. We have treated this as 188 an enhancement request, and ntp-4.2.8p6 includes other checks and 189 tests to strengthen clients against attacks coming from broadcast 190 servers. 191 Mitigation: 192 Implement BCP-38. 193 If this scenario represents a real or a potential issue for you, 194 upgrade to 4.2.8p6, or later, from the NTP Project Download 195 Page or the NTP Public Services Project Download Page, and 196 use the new field in the ntp.keys file that specifies the list 197 of IPs that are allowed to serve time. Note that this alone 198 will not protect against time packets with forged source IP 199 addresses, however other changes in ntp-4.2.8p6 provide 200 significant mitigation against broadcast attacks. MITM attacks 201 are a different story. 202 If you are unable to upgrade: 203 Don't use broadcast mode if you cannot monitor your client 204 servers. 205 If you choose to use symmetric keys to authenticate time 206 packets in a hostile environment where ephemeral time 207 servers can be created, or if it is expected that malicious 208 time servers will participate in an NTP broadcast domain, 209 limit the number of participating systems that participate 210 in the shared-key group. 211 Monitor your ntpd instances. 212 Credit: This weakness was discovered by Matt Street of Cisco ASIG. 213 214* Deja Vu: Replay attack on authenticated broadcast mode 215 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 216 References: Sec 2935 / CVE-2015-7973 217 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 218 4.3.0 up to, but not including 4.3.90 219 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 220 Summary: If an NTP network is configured for broadcast operations then 221 either a man-in-the-middle attacker or a malicious participant 222 that has the same trusted keys as the victim can replay time packets. 223 Mitigation: 224 Implement BCP-38. 225 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 226 or the NTP Public Services Project Download Page. 227 If you are unable to upgrade: 228 Don't use broadcast mode if you cannot monitor your client servers. 229 Monitor your ntpd instances. 230 Credit: This weakness was discovered by Aanchal Malhotra of Boston 231 University. 232 233Other fixes: 234 235* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org 236* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org 237 - applied patch by shenpeng11@huawei.com with minor adjustments 238* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org 239* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org 240* [Bug 2892] Several test cases assume IPv6 capabilities even when 241 IPv6 is disabled in the build. perlinger@ntp.org 242 - Found this already fixed, but validation led to cleanup actions. 243* [Bug 2905] DNS lookups broken. perlinger@ntp.org 244 - added limits to stack consumption, fixed some return code handling 245* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 246 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 247 - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org 248* [Bug 2980] reduce number of warnings. perlinger@ntp.org 249 - integrated several patches from Havard Eidnes (he@uninett.no) 250* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org 251 - implement 'auth_log2()' using integer bithack instead of float calculation 252* Make leapsec_query debug messages less verbose. Harlan Stenn. 253 254--- 255 |
256NTP 4.2.8p5 257 258Focus: Security, Bug fixes, enhancements. 259 260Severity: MEDIUM 261 262In addition to bug fixes and enhancements, this release fixes the 263following medium-severity vulnerability: --- 1545 unchanged lines hidden --- |