From owner-freebsd-announce@freebsd.org Mon Oct 26 12:37:10 2015 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7821B8189 for ; Mon, 26 Oct 2015 12:37:10 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cell.glebius.int.ru", Issuer "cell.glebius.int.ru" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EC6781828; Mon, 26 Oct 2015 12:37:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from think.nginx.com (think.glebius.int.ru [81.19.69.13]) by cell.glebius.int.ru (8.15.2/8.15.2) with ESMTPS id t9QCb1e4032481 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 26 Oct 2015 15:37:01 +0300 (MSK) (envelope-from security-advisories@freebsd.org) Received: from think.nginx.com (localhost [127.0.0.1]) by think.nginx.com (8.15.2/8.15.2) with ESMTPS id t9QCa2qr044230 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 26 Oct 2015 15:36:02 +0300 (MSK) (envelope-from security-advisories@freebsd.org) Received: (from glebius@localhost) by think.nginx.com (8.15.2/8.15.2/Submit) id t9QCa2DH044228; Mon, 26 Oct 2015 12:36:02 GMT (envelope-from security-advisories@freebsd.org) Date: Mon, 26 Oct 2015 12:36:02 GMT Message-Id: <201510261236.t9QCa2DH044228@think.nginx.com> X-Authentication-Warning: think.nginx.com: glebius set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:25.ntp X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2015 12:37:10 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-15:25.ntp Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp Category: contrib Module: ntp Announced: 2015-10-26 Credits: Network Time Foundation Affects: All supported versions of FreeBSD. Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE) 2015-10-26 11:36:55 UTC (releng/10.2, 10.2-RELEASE-p6) 2015-10-26 11:37:31 UTC (releng/10.1, 10.1-RELEASE-p23) 2015-10-26 11:36:40 UTC (stable/9, 9.3-STABLE) 2015-10-26 11:42:25 UTC (releng/9.3, 9.3-RELEASE-p29) CVE Name: CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, CVE-2015-7871 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description Crypto-NAK packets can be used to cause ntpd(8) to accept time from an unauthenticated ephemeral symmetric peer by bypassing the authentication required to mobilize peer associations. [CVE-2015-7871] FreeBSD 9.3 and 10.1 are not affected. If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusual long data value where a network address is expected, the decodenetnum() function will abort with an assertion failure instead of simply returning a failure condition. [CVE-2015-7855] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd(8) that may cause it to crash, with the hypothetical possibility of a small code injection. [CVE-2015-7854] A negative value for the datalen parameter will overflow a data buffer. NTF's ntpd(8) driver implementations always set this value to 0 and are therefore not vulnerable to this weakness. If you are running a custom refclock driver in ntpd(8) and that driver supplies a negative value for datalen (no custom driver of even minimal competence would do this) then ntpd would overflow a data buffer. It is even hypothetically possible in this case that instead of simply crashing ntpd the attacker could effect a code injection attack. [CVE-2015-7853] If an attacker can figure out the precise moment that ntpq(8) is listening for data and the port number it is listening on or if the attacker can provide a malicious instance ntpd(8) that victims will connect to then an attacker can send a set of crafted mode 6 response packets that, if received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that may cause ntpd(8) to overwrite files. [CVE-2015-7851]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that will cause it to crash and/or create a potentially huge log file. Specifically, the attacker could enable extended logging, point the key file at the log file, and cause what amounts to an infinite loop. [CVE-2015-7850]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd was configured to disable authentication, then an attacker can send a set of packets to ntpd that may cause a crash or theoretically perform a code injection attack. [CVE-2015-7849]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to enable mode 7 packets, and if the use of mode 7 packets is not properly protected thru the use of the available mode 7 authentication and restriction mechanisms, and if the (possibly spoofed) source IP address is allowed to send mode 7 queries, then an attacker can send a crafted packet to ntpd that will cause it to crash. [CVE-2015-7848]. The default configuration of ntpd(8) within FreeBSD does not allow mode 7 packets. If ntpd(8) is configured to use autokey, then an attacker can send packets to ntpd that will, after several days of ongoing attack, cause it to run out of memory. [CVE-2015-7701]. The default configuration of ntpd(8) within FreeBSD does not use autokey. If ntpd(8) is configured to allow for remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password, it's possible for an attacker to use the "pidfile" or "driftfile" directives to potentially overwrite other files. [CVE-2015-5196]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration An ntpd(8) client that honors Kiss-of-Death responses will honor KoD messages that have been forged by an attacker, causing it to delay or stop querying its servers for time updates. Also, an attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements KoD rate limiting will send the target machine a KoD response to attempt to reduce the rate of incoming packets, or it may also trigger a firewall block at the server for packets from the target machine. For either of these attacks to succeed, the attacker must know what servers the target is communicating with. An attacker can be anywhere on the Internet and can frequently learn the identity of the target's time source by sending the target a time query. [CVE-2015-7704] The fix for CVE-2014-9750 was incomplete in that there were certain code paths where a packet with particular autokey operations that contained malicious data was not always being completely validated. Receipt of these packets can cause ntpd to crash. [CVE-2015-7702]. The default configuration of ntpd(8) within FreeBSD does not use autokey. III. Impact An attacker which can send NTP packets to ntpd(8), which uses cryptographic authentication of NTP data, may be able to inject malicious time data causing the system clock to be set incorrectly. [CVE-2015-7871] An attacker which can send NTP packets to ntpd(8), can block the communication of the daemon with time servers, causing the system clock not being synchronized. [CVE-2015-7704] An attacker which can send NTP packets to ntpd(8), can remotely crash the daemon, sending malicious data packet. [CVE-2015-7855] [CVE-2015-7854] [CVE-2015-7853] [CVE-2015-7852] [CVE-2015-7849] [CVE-2015-7848] An attacker which can send NTP packets to ntpd(8), can remotely trigger the daemon to overwrite its configuration files. [CVE-2015-7851] [CVE-2015-5196] IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. Network administrators are advised to implement BCP-38, which helps to reduce risk associated with the attacks. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The ntpd service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The ntpd service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.2] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.bz2 # bunzip2 ntp-102.patch.bz2 # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.asc # gpg --verify ntp-102.patch.asc [FreeBSD 10.1] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.bz2 # bunzip2 ntp-101.patch.bz2 # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.asc # gpg --verify ntp-101.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.bz2 # bunzip2 ntp-93.patch.bz2 # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.asc # gpg --verify ntp-93.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # find contrib/ntp -type f -empty -delete c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html. d) For 9.3-RELEASE and 10.1-RELEASE an update to /etc/ntp.conf is recommended, which can be done with help of the mergemaster(8) tool on 9.3-RELEASE and with help of the etcupdate(8) tool on 10.1-RELEASE. Restart the ntpd(8) daemon, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r289998 releng/9.3/ r290001 stable/10/ r289997 releng/10.1/ r290000 releng/10.2/ r289999 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871 The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-15:25.ntp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWLhOJAAoJEO1n7NZdz2rn91wP/2GwEt1boNQq2a7nYzv/mS5D sYKkIi7o+2yr2BLXvtc3O7c9QC3/YeGsza9DTRqndcY572SWvRgtkFstMTTm8IV/ RVlIE40gVR3tex0zo7BiD7uKUrxWxWcpwMbE5dzlE+vSybyyj0dSSkwUHJjrbJoA RmyNuEEUhQn5sRCg6qJv/PLp2G7BcYAasKScukjm7QnLP2kq/tvM9mcqwfh2tadM 7kbf8uq+ykvsRzctaDnxQaB5+zJxBQYJjBelxQfIkNek0XGfdj3sRwISeFznbllq mOLTIBaFiuEtHtusO7MKKavMgS5CQJOvuuvd/l3NY1MnxC6X/1SWig9KIKDIn/hv q8dsnq7LLx+tO6Cv4Dub7EbC2ZP3xXGOC4Ie02z8bTZnbX7iwyPUidQQqtU9ra15 rxzFcZnBxu+yyMNJVsV2qVV/r9OycgKxWlEELC1wYrK9fKfvLdA5aEGjDeU1Z+s6 JS2zKr0t4F2bMrCsjYP1lQD8sHkCVjwJk+IJU/slcwSajDjBNlMH0yBxGYE1ETIZ qMF7/PAkLe8V78pdYmXw9pcaPyhI+ihPLnNrdhX8AI2RX5jDK7IuUNJeUM04UrVB 8N+mMwgamcuCPWNNyXaL0bz21fexZOuhHmU+B8Yn3SFX5O5b/r9gGvrjo8ei8jOk EUlBT3ViDhHNrI7PTaiI =djPm -----END PGP SIGNATURE-----