diff options
author | delphij <delphij@FreeBSD.org> | 2016-04-29 08:02:31 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2016-04-29 08:02:31 +0000 |
commit | 8738d3374d360bdb231ac07c863e462cd62f83c6 (patch) | |
tree | 88283a221508ca2b5a5ccce12c44af1f57c0e909 /contrib/ntp/NEWS | |
parent | e021bee65027979bc179c9148040d65d33c528a1 (diff) | |
download | FreeBSD-src-8738d3374d360bdb231ac07c863e462cd62f83c6.zip FreeBSD-src-8738d3374d360bdb231ac07c863e462cd62f83c6.tar.gz |
Fix ntp multiple vulnerabilities.
Approved by: so
Diffstat (limited to 'contrib/ntp/NEWS')
-rw-r--r-- | contrib/ntp/NEWS | 354 |
1 files changed, 347 insertions, 7 deletions
diff --git a/contrib/ntp/NEWS b/contrib/ntp/NEWS index 278943c..1edaf5d 100644 --- a/contrib/ntp/NEWS +++ b/contrib/ntp/NEWS @@ -1,13 +1,353 @@ --- +NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26) -NTP 4.2.8p6 +Focus: Security, Bug fixes, enhancements. + +Severity: MEDIUM + +When building NTP from source, there is a new configure option +available, --enable-dynamic-interleave. More information on this below. + +Also note that ntp-4.2.8p7 logs more "unexpected events" than previous +versions of ntp. These events have almost certainly happened in the +past, it's just that they were silently counted and not logged. With +the increasing awareness around security, we feel it's better to clearly +log these events to help detect abusive behavior. This increased +logging can also help detect other problems, too. + +In addition to bug fixes and enhancements, this release fixes the +following 9 low- and medium-severity vulnerabilities: + +* Improve NTP security against buffer comparison timing attacks, + AKA: authdecrypt-timing + Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 + References: Sec 2879 / CVE-2016-1550 + Affects: All ntp-4 releases up to, but not including 4.2.8p7, and + 4.3.0 up to, but not including 4.3.92 + CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N) + CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N + Summary: Packet authentication tests have been performed using + memcmp() or possibly bcmp(), and it is potentially possible + for a local or perhaps LAN-based attacker to send a packet with + an authentication payload and indirectly observe how much of + the digest has matched. + Mitigation: + Upgrade to 4.2.8p7, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page. + Properly monitor your ntpd instances. + Credit: This weakness was discovered independently by Loganaden + Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. + +* Zero origin timestamp bypass: Additional KoD checks. + References: Sec 2945 / Sec 2901 / CVE-2015-8138 + Affects: All ntp-4 releases up to, but not including 4.2.8p7, + Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92. + +* peer associations were broken by the fix for NtpBug2899 + Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 + References: Sec 2952 / CVE-2015-7704 + Affects: All ntp-4 releases up to, but not including 4.2.8p7, and + 4.3.0 up to, but not including 4.3.92 + CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) + Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer + associations did not address all of the issues. + Mitigation: + Implement BCP-38. + Upgrade to 4.2.8p7, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page + If you can't upgrade, use "server" associations instead of + "peer" associations. + Monitor your ntpd instances. + Credit: This problem was discovered by Michael Tatarinov. + +* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS + Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 + References: Sec 3007 / CVE-2016-1547 / VU#718152 + Affects: All ntp-4 releases up to, but not including 4.2.8p7, and + 4.3.0 up to, but not including 4.3.92 + CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) + CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L + Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an + off-path attacker can cause a preemptable client association to + be demobilized by sending a crypto NAK packet to a victim client + with a spoofed source address of an existing associated peer. + This is true even if authentication is enabled. + + Furthermore, if the attacker keeps sending crypto NAK packets, + for example one every second, the victim never has a chance to + reestablish the association and synchronize time with that + legitimate server. + + For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more + stringent checks are performed on incoming packets, but there + are still ways to exploit this vulnerability in versions before + ntp-4.2.8p7. + Mitigation: + Implement BCP-38. + Upgrade to 4.2.8p7, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page + Properly monitor your =ntpd= instances + Credit: This weakness was discovered by Stephen Gray and + Matthew Van Gundy of Cisco ASIG. + +* ctl_getitem() return value not always checked + Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 + References: Sec 3008 / CVE-2016-2519 + Affects: All ntp-4 releases up to, but not including 4.2.8p7, and + 4.3.0 up to, but not including 4.3.92 + CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) + CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H + Summary: ntpq and ntpdc can be used to store and retrieve information + in ntpd. It is possible to store a data value that is larger + than the size of the buffer that the ctl_getitem() function of + ntpd uses to report the return value. If the length of the + requested data value returned by ctl_getitem() is too large, + the value NULL is returned instead. There are 2 cases where the + return value from ctl_getitem() was not directly checked to make + sure it's not NULL, but there are subsequent INSIST() checks + that make sure the return value is not NULL. There are no data + values ordinarily stored in ntpd that would exceed this buffer + length. But if one has permission to store values and one stores + a value that is "too large", then ntpd will abort if an attempt + is made to read that oversized value. + Mitigation: + Implement BCP-38. + Upgrade to 4.2.8p7, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page + Properly monitor your ntpd instances. + Credit: This weakness was discovered by Yihan Lian of the Cloud + Security Team, Qihoo 360. + +* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC + Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 + References: Sec 3009 / CVE-2016-2518 / VU#718152 + Affects: All ntp-4 releases up to, but not including 4.2.8p7, and + 4.3.0 up to, but not including 4.3.92 + CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P) + CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L + Summary: Using a crafted packet to create a peer association with + hmode > 7 causes the MATCH_ASSOC() lookup to make an + out-of-bounds reference. + Mitigation: + Implement BCP-38. + Upgrade to 4.2.8p7, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page + Properly monitor your ntpd instances + Credit: This weakness was discovered by Yihan Lian of the Cloud + Security Team, Qihoo 360. + +* remote configuration trustedkey/requestkey/controlkey values are not + properly validated + Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 + References: Sec 3010 / CVE-2016-2517 / VU#718152 + Affects: All ntp-4 releases up to, but not including 4.2.8p7, and + 4.3.0 up to, but not including 4.3.92 + CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C) + CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H + Summary: If ntpd was expressly configured to allow for remote + configuration, a malicious user who knows the controlkey for + ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) + can create a session with ntpd and then send a crafted packet to + ntpd that will change the value of the trustedkey, controlkey, + or requestkey to a value that will prevent any subsequent + authentication with ntpd until ntpd is restarted. + Mitigation: + Implement BCP-38. + Upgrade to 4.2.8p7, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page + Properly monitor your =ntpd= instances + Credit: This weakness was discovered by Yihan Lian of the Cloud + Security Team, Qihoo 360. + +* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd + Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 + References: Sec 3011 / CVE-2016-2516 / VU#718152 + Affects: All ntp-4 releases up to, but not including 4.2.8p7, and + 4.3.0 up to, but not including 4.3.92 + CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C) + CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H + Summary: If ntpd was expressly configured to allow for remote + configuration, a malicious user who knows the controlkey for + ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) + can create a session with ntpd and if an existing association is + unconfigured using the same IP twice on the unconfig directive + line, ntpd will abort. + Mitigation: + Implement BCP-38. + Upgrade to 4.2.8p7, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page + Properly monitor your ntpd instances + Credit: This weakness was discovered by Yihan Lian of the Cloud + Security Team, Qihoo 360. + +* Refclock impersonation vulnerability + Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 + References: Sec 3020 / CVE-2016-1551 + Affects: On a very limited number of OSes, all NTP releases up to but + not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92. + By "very limited number of OSes" we mean no general-purpose OSes + have yet been identified that have this vulnerability. + CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) + CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N + Summary: While most OSes implement martian packet filtering in their + network stack, at least regarding 127.0.0.0/8, some will allow + packets claiming to be from 127.0.0.0/8 that arrive over a + physical network. On these OSes, if ntpd is configured to use a + reference clock an attacker can inject packets over the network + that look like they are coming from that reference clock. + Mitigation: + Implement martian packet filtering and BCP-38. + Configure ntpd to use an adequate number of time sources. + Upgrade to 4.2.8p7, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page + If you are unable to upgrade and if you are running an OS that + has this vulnerability, implement martian packet filters and + lobby your OS vendor to fix this problem, or run your + refclocks on computers that use OSes that are not vulnerable + to these attacks and have your vulnerable machines get their + time from protected resources. + Properly monitor your ntpd instances. + Credit: This weakness was discovered by Matt Street and others of + Cisco ASIG. + +The following issues were fixed in earlier releases and contain +improvements in 4.2.8p7: + +* Clients that receive a KoD should validate the origin timestamp field. + References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 + Affects: All ntp-4 releases up to, but not including 4.2.8p7, + Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77. + +* Skeleton key: passive server with trusted key can serve time. + References: Sec 2936 / CVE-2015-7974 + Affects: All ntp-4 releases up to, but not including 4.2.8p7, + Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90. + +Two other vulnerabilities have been reported, and the mitigations +for these are as follows: + +* Interleave-pivot + Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 + References: Sec 2978 / CVE-2016-1548 + Affects: All ntp-4 releases. + CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) + CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L + Summary: It is possible to change the time of an ntpd client or deny + service to an ntpd client by forcing it to change from basic + client/server mode to interleaved symmetric mode. An attacker + can spoof a packet from a legitimate ntpd server with an origin + timestamp that matches the peer->dst timestamp recorded for that + server. After making this switch, the client will reject all + future legitimate server responses. It is possible to force the + victim client to move time after the mode has been changed. + ntpq gives no indication that the mode has been switched. + Mitigation: + Implement BCP-38. + Upgrade to 4.2.8p7, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page. These + versions will not dynamically "flip" into interleave mode + unless configured to do so. + Properly monitor your ntpd instances. + Credit: This weakness was discovered by Miroslav Lichvar of RedHat + and separately by Jonathan Gardner of Cisco ASIG. + +* Sybil vulnerability: ephemeral association attack + Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 + References: Sec 3012 / CVE-2016-1549 + Affects: All ntp-4 releases up to, but not including 4.2.8p7, and + 4.3.0 up to, but not including 4.3.92 + CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) + CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N + Summary: ntpd can be vulnerable to Sybil attacks. If one is not using + the feature introduced in ntp-4.2.8p6 allowing an optional 4th + field in the ntp.keys file to specify which IPs can serve time, + a malicious authenticated peer can create arbitrarily-many + ephemeral associations in order to win the clock selection of + ntpd and modify a victim's clock. + Mitigation: + Implement BCP-38. + Use the 4th field in the ntp.keys file to specify which IPs + can be time servers. + Properly monitor your ntpd instances. + Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. + +Other fixes: + +* [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@ntp.org + - fixed yet another race condition in the threaded resolver code. +* [Bug 2858] bool support. Use stdbool.h when available. HStenn. +* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org + - integrated patches by Loganaden Velvidron <logan@ntp.org> + with some modifications & unit tests +* [Bug 2960] async name resolution fixes for chroot() environments. + Reinhard Max. +* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org +* [Bug 2995] Fixes to compile on Windows +* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org +* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org + - Patch provided by Ch. Weisgerber +* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" + - A change related to [Bug 2853] forbids trailing white space in + remote config commands. perlinger@ntp.org +* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE + - report and patch from Aleksandr Kostikov. + - Overhaul of Windows IO completion port handling. perlinger@ntp.org +* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org + - fixed memory leak in access list (auth[read]keys.c) + - refactored handling of key access lists (auth[read]keys.c) + - reduced number of error branches (authreadkeys.c) +* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org +* [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. +* [Bug 3031] ntp broadcastclient unable to synchronize to an server + when the time of server changed. perlinger@ntp.org + - Check the initial delay calculation and reject/unpeer the broadcast + server if the delay exceeds 50ms. Retry again after the next + broadcast packet. +* [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. +* Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. +* Update html/xleave.html documentation. Harlan Stenn. +* Update ntp.conf documentation. Harlan Stenn. +* Fix some Credit: attributions in the NEWS file. Harlan Stenn. +* Fix typo in html/monopt.html. Harlan Stenn. +* Add README.pullrequests. Harlan Stenn. +* Cleanup to include/ntp.h. Harlan Stenn. + +New option to 'configure': + +While looking in to the issues around Bug 2978, the "interleave pivot" +issue, it became clear that there are some intricate and unresolved +issues with interleave operations. We also realized that the interleave +protocol was never added to the NTPv4 Standard, and it should have been. + +Interleave mode was first released in July of 2008, and can be engaged +in two ways. Any 'peer' and 'broadcast' lines in the ntp.conf file may +contain the 'xleave' option, which will expressly enable interlave mode +for that association. Additionally, if a time packet arrives and is +found inconsistent with normal protocol behavior but has certain +characteristics that are compatible with interleave mode, NTP will +dynamically switch to interleave mode. With sufficient knowledge, an +attacker can send a crafted forged packet to an NTP instance that +triggers only one side to enter interleaved mode. + +To prevent this attack until we can thoroughly document, describe, +fix, and test the dynamic interleave mode, we've added a new +'configure' option to the build process: + + --enable-dynamic-interleave + +This option controls whether or not NTP will, if conditions are right, +engage dynamic interleave mode. Dynamic interleave mode is disabled by +default in ntp-4.2.8p7. + +--- +NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20) Focus: Security, Bug fixes, enhancements. Severity: MEDIUM In addition to bug fixes and enhancements, this release fixes the -following X low- and Y medium-severity vulnerabilities: +following 1 low- and 8 medium-severity vulnerabilities: * Potential Infinite Loop in 'ntpq' Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 @@ -53,7 +393,8 @@ following X low- and Y medium-severity vulnerabilities: Upgrade to 4.2.8p6, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page. Monitor your 'ntpd= instances. - Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. + Credit: This weakness was discovered by Matthey Van Gundy and + Jonathan Gardner of Cisco ASIG. * Stack exhaustion in recursive traversal of restriction list Date Resolved: Stable (4.2.8p6) 19 Jan 2016 @@ -252,8 +593,7 @@ Other fixes: * Make leapsec_query debug messages less verbose. Harlan Stenn. --- - -NTP 4.2.8p5 +NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07) Focus: Security, Bug fixes, enhancements. @@ -353,7 +693,7 @@ Other fixes: * Quiet a warning from clang. Harlan Stenn. --- -NTP 4.2.8p4 +NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21) Focus: Security, Bug fixes, enhancements. @@ -689,7 +1029,7 @@ Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. Apply the patch to the bottom of the "authentic" check block around line 1136 of ntp_proto.c. Monitor your ntpd instances. - Credit: This weakness was discovered by Stephen Gray <stepgray@cisco.com>. + Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG. Backward-Incompatible changes: * [Bug 2817] Default on Linux is now "rlimit memlock -1". |