| 3NTP 4.2.8p6
4
5Focus: Security, Bug fixes, enhancements.
6
7Severity: MEDIUM
8
9In addition to bug fixes and enhancements, this release fixes the
10following X low- and Y medium-severity vulnerabilities:
11
12* Potential Infinite Loop in 'ntpq'
13 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
14 References: Sec 2548 / CVE-2015-8158
15 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
16 4.3.0 up to, but not including 4.3.90
17 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
18 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
19 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
20 The loop's only stopping conditions are receiving a complete and
21 correct response or hitting a small number of error conditions.
22 If the packet contains incorrect values that don't trigger one of
23 the error conditions, the loop continues to receive new packets.
24 Note well, this is an attack against an instance of 'ntpq', not
25 'ntpd', and this attack requires the attacker to do one of the
26 following:
27 * Own a malicious NTP server that the client trusts
28 * Prevent a legitimate NTP server from sending packets to
29 the 'ntpq' client
30 * MITM the 'ntpq' communications between the 'ntpq' client
31 and the NTP server
32 Mitigation:
33 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
34 or the NTP Public Services Project Download Page
35 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
36
37* 0rigin: Zero Origin Timestamp Bypass
38 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
39 References: Sec 2945 / CVE-2015-8138
40 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
41 4.3.0 up to, but not including 4.3.90
42 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
43 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
44 (3.7 - LOW if you score AC:L)
45 Summary: To distinguish legitimate peer responses from forgeries, a
46 client attempts to verify a response packet by ensuring that the
47 origin timestamp in the packet matches the origin timestamp it
48 transmitted in its last request. A logic error exists that
49 allows packets with an origin timestamp of zero to bypass this
50 check whenever there is not an outstanding request to the server.
51 Mitigation:
52 Configure 'ntpd' to get time from multiple sources.
53 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
54 or the NTP Public Services Project Download Page.
55 Monitor your 'ntpd= instances.
56 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
57
58* Stack exhaustion in recursive traversal of restriction list
59 Date Resolved: Stable (4.2.8p6) 19 Jan 2016
60 References: Sec 2940 / CVE-2015-7978
61 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
62 4.3.0 up to, but not including 4.3.90
63 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
64 Summary: An unauthenticated 'ntpdc reslist' command can cause a
65 segmentation fault in ntpd by exhausting the call stack.
66 Mitigation:
67 Implement BCP-38.
68 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
69 or the NTP Public Services Project Download Page.
70 If you are unable to upgrade:
71 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
72 If you must enable mode 7:
73 configure the use of a 'requestkey' to control who can
74 issue mode 7 requests.
75 configure 'restrict noquery' to further limit mode 7
76 requests to trusted sources.
77 Monitor your ntpd instances.
78 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
79
80* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
81 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
82 References: Sec 2942 / CVE-2015-7979
83 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
84 4.3.0 up to, but not including 4.3.90
85 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
86 Summary: An off-path attacker can send broadcast packets with bad
87 authentication (wrong key, mismatched key, incorrect MAC, etc)
88 to broadcast clients. It is observed that the broadcast client
89 tears down the association with the broadcast server upon
90 receiving just one bad packet.
91 Mitigation:
92 Implement BCP-38.
93 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
94 or the NTP Public Services Project Download Page.
95 Monitor your 'ntpd' instances.
96 If this sort of attack is an active problem for you, you have
97 deeper problems to investigate. In this case also consider
98 having smaller NTP broadcast domains.
99 Credit: This weakness was discovered by Aanchal Malhotra of Boston
100 University.
101
102* reslist NULL pointer dereference
103 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
104 References: Sec 2939 / CVE-2015-7977
105 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
106 4.3.0 up to, but not including 4.3.90
107 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
108 Summary: An unauthenticated 'ntpdc reslist' command can cause a
109 segmentation fault in ntpd by causing a NULL pointer dereference.
110 Mitigation:
111 Implement BCP-38.
112 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
113 the NTP Public Services Project Download Page.
114 If you are unable to upgrade:
115 mode 7 is disabled by default. Don't enable it.
116 If you must enable mode 7:
117 configure the use of a 'requestkey' to control who can
118 issue mode 7 requests.
119 configure 'restrict noquery' to further limit mode 7
120 requests to trusted sources.
121 Monitor your ntpd instances.
122 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
123
124* 'ntpq saveconfig' command allows dangerous characters in filenames.
125 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
126 References: Sec 2938 / CVE-2015-7976
127 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
128 4.3.0 up to, but not including 4.3.90
129 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
130 Summary: The ntpq saveconfig command does not do adequate filtering
131 of special characters from the supplied filename.
132 Note well: The ability to use the saveconfig command is controlled
133 by the 'restrict nomodify' directive, and the recommended default
134 configuration is to disable this capability. If the ability to
135 execute a 'saveconfig' is required, it can easily (and should) be
136 limited and restricted to a known small number of IP addresses.
137 Mitigation:
138 Implement BCP-38.
139 use 'restrict default nomodify' in your 'ntp.conf' file.
140 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
141 If you are unable to upgrade:
142 build NTP with 'configure --disable-saveconfig' if you will
143 never need this capability, or
144 use 'restrict default nomodify' in your 'ntp.conf' file. Be
145 careful about what IPs have the ability to send 'modify'
146 requests to 'ntpd'.
147 Monitor your ntpd instances.
148 'saveconfig' requests are logged to syslog - monitor your syslog files.
149 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
150
151* nextvar() missing length check in ntpq
152 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
153 References: Sec 2937 / CVE-2015-7975
154 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
155 4.3.0 up to, but not including 4.3.90
156 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
157 If you score A:C, this becomes 4.0.
158 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
159 Summary: ntpq may call nextvar() which executes a memcpy() into the
160 name buffer without a proper length check against its maximum
161 length of 256 bytes. Note well that we're taking about ntpq here.
162 The usual worst-case effect of this vulnerability is that the
163 specific instance of ntpq will crash and the person or process
164 that did this will have stopped themselves.
165 Mitigation:
166 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
167 or the NTP Public Services Project Download Page.
168 If you are unable to upgrade:
169 If you have scripts that feed input to ntpq make sure there are
170 some sanity checks on the input received from the "outside".
171 This is potentially more dangerous if ntpq is run as root.
172 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
173
174* Skeleton Key: Any trusted key system can serve time
175 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
176 References: Sec 2936 / CVE-2015-7974
177 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
178 4.3.0 up to, but not including 4.3.90
179 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
180 Summary: Symmetric key encryption uses a shared trusted key. The
181 reported title for this issue was "Missing key check allows
182 impersonation between authenticated peers" and the report claimed
183 "A key specified only for one server should only work to
184 authenticate that server, other trusted keys should be refused."
185 Except there has never been any correlation between this trusted
186 key and server v. clients machines and there has never been any
187 way to specify a key only for one server. We have treated this as
188 an enhancement request, and ntp-4.2.8p6 includes other checks and
189 tests to strengthen clients against attacks coming from broadcast
190 servers.
191 Mitigation:
192 Implement BCP-38.
193 If this scenario represents a real or a potential issue for you,
194 upgrade to 4.2.8p6, or later, from the NTP Project Download
195 Page or the NTP Public Services Project Download Page, and
196 use the new field in the ntp.keys file that specifies the list
197 of IPs that are allowed to serve time. Note that this alone
198 will not protect against time packets with forged source IP
199 addresses, however other changes in ntp-4.2.8p6 provide
200 significant mitigation against broadcast attacks. MITM attacks
201 are a different story.
202 If you are unable to upgrade:
203 Don't use broadcast mode if you cannot monitor your client
204 servers.
205 If you choose to use symmetric keys to authenticate time
206 packets in a hostile environment where ephemeral time
207 servers can be created, or if it is expected that malicious
208 time servers will participate in an NTP broadcast domain,
209 limit the number of participating systems that participate
210 in the shared-key group.
211 Monitor your ntpd instances.
212 Credit: This weakness was discovered by Matt Street of Cisco ASIG.
213
214* Deja Vu: Replay attack on authenticated broadcast mode
215 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
216 References: Sec 2935 / CVE-2015-7973
217 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
218 4.3.0 up to, but not including 4.3.90
219 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
220 Summary: If an NTP network is configured for broadcast operations then
221 either a man-in-the-middle attacker or a malicious participant
222 that has the same trusted keys as the victim can replay time packets.
223 Mitigation:
224 Implement BCP-38.
225 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
226 or the NTP Public Services Project Download Page.
227 If you are unable to upgrade:
228 Don't use broadcast mode if you cannot monitor your client servers.
229 Monitor your ntpd instances.
230 Credit: This weakness was discovered by Aanchal Malhotra of Boston
231 University.
232
233Other fixes:
234
235* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
236* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
237 - applied patch by shenpeng11@huawei.com with minor adjustments
238* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
239* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
240* [Bug 2892] Several test cases assume IPv6 capabilities even when
241 IPv6 is disabled in the build. perlinger@ntp.org
242 - Found this already fixed, but validation led to cleanup actions.
243* [Bug 2905] DNS lookups broken. perlinger@ntp.org
244 - added limits to stack consumption, fixed some return code handling
245* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
246 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
247 - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
248* [Bug 2980] reduce number of warnings. perlinger@ntp.org
249 - integrated several patches from Havard Eidnes (he@uninett.no)
250* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
251 - implement 'auth_log2()' using integer bithack instead of float calculation
252* Make leapsec_query debug messages less verbose. Harlan Stenn.
253
254---
255
|