Home / mailingsPDF  

FreeBSD Security Advisory FreeBSD-SA-15:25.ntp

Posted on 26 October 2015
FreeBSD security notificat

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-15:25.ntp Security Advisory
The FreeBSD Project

Topic: Multiple vulnerabilities of ntp

Category: contrib
Module: ntp
Announced: 2015-10-26
Credits: Network Time Foundation
Affects: All supported versions of FreeBSD.
Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE)
2015-10-26 11:36:55 UTC (releng/10.2, 10.2-RELEASE-p6)
2015-10-26 11:37:31 UTC (releng/10.1, 10.1-RELEASE-p23)
2015-10-26 11:36:40 UTC (stable/9, 9.3-STABLE)
2015-10-26 11:42:25 UTC (releng/9.3, 9.3-RELEASE-p29)
CVE Name: CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704,
CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851,
CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855,
CVE-2015-7871

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/.

I. Background

The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
used to synchronize the time of a computer system to a reference time
source.

II. Problem Description

Crypto-NAK packets can be used to cause ntpd(8) to accept time from an
unauthenticated ephemeral symmetric peer by bypassing the authentication
required to mobilize peer associations. [CVE-2015-7871] FreeBSD 9.3 and
10.1 are not affected.

If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusual
long data value where a network address is expected, the decodenetnum()
function will abort with an assertion failure instead of simply returning
a failure condition. [CVE-2015-7855]

If ntpd(8) is configured to allow remote configuration, and if the
(possibly spoofed) source IP address is allowed to send remote
configuration requests, and if the attacker knows the remote
configuration password or if ntpd(8) was configured to disable
authentication, then an attacker can send a set of packets to ntpd(8) that
may cause it to crash, with the hypothetical possibility of a small code
injection. [CVE-2015-7854]

A negative value for the datalen parameter will overflow a data buffer.
NTF's ntpd(8) driver implementations always set this value to 0 and are
therefore not vulnerable to this weakness. If you are running a custom
refclock driver in ntpd(8) and that driver supplies a negative value for
datalen (no custom driver of even minimal competence would do this)
then ntpd would overflow a data buffer. It is even hypothetically
possible in this case that instead of simply crashing ntpd the
attacker could effect a code injection attack. [CVE-2015-7853]

If an attacker can figure out the precise moment that ntpq(8) is listening
for data and the port number it is listening on or if the attacker can
provide a malicious instance ntpd(8) that victims will connect to then an
attacker can send a set of crafted mode 6 response packets that, if
received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852]

If ntpd(8) is configured to allow remote configuration, and if the
(possibly spoofed) IP address is allowed to send remote configuration
requests, and if the attacker knows the remote configuration password
or if ntpd(8) was configured to disable authentication, then an attacker
can send a set of packets to ntpd that may cause ntpd(8) to overwrite
files. [CVE-2015-7851]. The default configuration of ntpd(8) within
FreeBSD does not allow remote configuration.

If ntpd(8) is configured to allow remote configuration, and if the
(possibly spoofed) source IP address is allowed to send remote
configuration requests, and if the attacker knows the remote
configuration password or if ntpd(8) was configured to disable
authentication, then an attacker can send a set of packets to ntpd
that will cause it to crash and/or create a potentially huge log
file. Specifically, the attacker could enable extended logging,
point the key file at the log file, and cause what amounts to an
infinite loop. [CVE-2015-7850]. The default configuration of ntpd(8)
within FreeBSD does not allow remote configuration.

If ntpd(8) is configured to allow remote configuration, and if the
(possibly spoofed) source IP address is allowed to send remote
configuration requests, and if the attacker knows the remote
configuration password or if ntpd was configured to disable
authentication, then an attacker can send a set of packets to
ntpd that may cause a crash or theoretically perform a code
injection attack. [CVE-2015-7849]. The default configuration of ntpd(8)
within FreeBSD does not allow remote configuration.

If ntpd(8) is configured to enable mode 7 packets, and if the use
of mode 7 packets is not properly protected thru the use of the
available mode 7 authentication and restriction mechanisms, and
if the (possibly spoofed) source IP address is allowed to send
mode 7 queries, then an attacker can send a crafted packet to
ntpd that will cause it to crash. [CVE-2015-7848]. The default
configuration of ntpd(8) within FreeBSD does not allow mode 7
packets.

If ntpd(8) is configured to use autokey, then an attacker can send
packets to ntpd that will, after several days of ongoing attack,
cause it to run out of memory. [CVE-2015-7701]. The default
configuration of ntpd(8) within FreeBSD does not use autokey.

If ntpd(8) is configured to allow for remote configuration, and if
the (possibly spoofed) source IP address is allowed to send
remote configuration requests, and if the attacker knows the
remote configuration password, it's possible for an attacker
to use the "pidfile" or "driftfile" directives to potentially
overwrite other files. [CVE-2015-5196]. The default configuration
of ntpd(8) within FreeBSD does not allow remote configuration

An ntpd(8) client that honors Kiss-of-Death responses will honor
KoD messages that have been forged by an attacker, causing it
to delay or stop querying its servers for time updates. Also,
an attacker can forge packets that claim to be from the target
and send them to servers often enough that a server that
implements KoD rate limiting will send the target machine a
KoD response to attempt to reduce the rate of incoming packets,
or it may also trigger a firewall block at the server for
packets from the target machine. For either of these attacks
to succeed, the attacker must know what servers the target
is communicating with. An attacker can be anywhere on the
Internet and can frequently learn the identity of the target's
time source by sending the target a time query. [CVE-2015-7704]

The fix for CVE-2014-9750 was incomplete in that there were
certain code paths where a packet with particular autokey
operations that contained malicious data was not always being
completely validated. Receipt of these packets can cause ntpd
to crash. [CVE-2015-7702]. The default configuration of ntpd(8)
within FreeBSD does not use autokey.

III. Impact

An attacker which can send NTP packets to ntpd(8), which uses cryptographic
authentication of NTP data, may be able to inject malicious time data
causing the system clock to be set incorrectly. [CVE-2015-7871]

An attacker which can send NTP packets to ntpd(8), can block the
communication of the daemon with time servers, causing the system
clock not being synchronized. [CVE-2015-7704]

An attacker which can send NTP packets to ntpd(8), can remotely crash
the daemon, sending malicious data packet. [CVE-2015-7855] [CVE-2015-7854]
[CVE-2015-7853] [CVE-2015-7852] [CVE-2015-7849] [CVE-2015-7848]

An attacker which can send NTP packets to ntpd(8), can remotely
trigger the daemon to overwrite its configuration files. [CVE-2015-7851]
[CVE-2015-5196]

IV. Workaround

No workaround is available, but systems not running ntpd(8) are not
affected. Network administrators are advised to implement BCP-38,
which helps to reduce risk associated with the attacks.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

The ntpd service has to be restarted after the update. A reboot is
recommended but not required.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

The ntpd service has to be restarted after the update. A reboot is
recommended but not required.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 10.2]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.bz2
# bunzip2 ntp-102.patch.bz2
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.asc
# gpg --verify ntp-102.patch.asc

[FreeBSD 10.1]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.bz2
# bunzip2 ntp-101.patch.bz2
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.asc
# gpg --verify ntp-101.patch.asc

[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.bz2
# bunzip2 ntp-93.patch.bz2
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.asc
# gpg --verify ntp-93.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# find contrib/ntp -type f -empty -delete

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html.

d) For 9.3-RELEASE and 10.1-RELEASE an update to /etc/ntp.conf is recommended,
which can be done with help of the mergemaster(8) tool on 9.3-RELEASE and
with help of the etcupdate(8) tool on 10.1-RELEASE.

Restart the ntpd(8) daemon, or reboot the system.

VI. Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r289998
releng/9.3/ r290001
stable/10/ r289997
releng/10.1/ r290000
releng/10.2/ r289999
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-15:25.ntp.asc

 

TOP