From owner-freebsd-security@freebsd.org Mon Oct 26 15:59:17 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 974CD8821 for ; Mon, 26 Oct 2015 15:59:17 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from mail.in-addr.com (mail.in-addr.com [IPv6:2a01:4f8:191:61e8::2525:2525]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 406001096; Mon, 26 Oct 2015 15:59:17 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from gjp by mail.in-addr.com with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1ZqkB1-000IGe-4Q; Mon, 26 Oct 2015 15:59:15 +0000 Date: Mon, 26 Oct 2015 15:59:15 +0000 From: Gary Palmer To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp Message-ID: <20151026155915.GA39073@in-addr.com> References: <201510261236.t9QCa2cm044240@think.nginx.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201510261236.t9QCa2cm044240@think.nginx.com> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2015 15:59:17 -0000 Hi, Anyone else done the update on FreeBSD 9.3? After rebuilding the world I'm getting an error when running ntpdc or ntpq % ntpdc -np /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/lib/isc/unix/net.c:221: fatal error: RUNTIME_CHECK(((pthread_once((&once), (initialize_action)) == 0) ? 0 : 34) == 0) failed Abort Thanks, Gary On Mon, Oct 26, 2015 at 12:36:02PM +0000, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-15:25.ntp Security Advisory > The FreeBSD Project > > Topic: Multiple vulnerabilities of ntp > > Category: contrib > Module: ntp > Announced: 2015-10-26 > Credits: Network Time Foundation > Affects: All supported versions of FreeBSD. > Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE) > 2015-10-26 11:36:55 UTC (releng/10.2, 10.2-RELEASE-p6) > 2015-10-26 11:37:31 UTC (releng/10.1, 10.1-RELEASE-p23) > 2015-10-26 11:36:40 UTC (stable/9, 9.3-STABLE) > 2015-10-26 11:42:25 UTC (releng/9.3, 9.3-RELEASE-p29) > CVE Name: CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, > CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, > CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, > CVE-2015-7871 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit https://security.FreeBSD.org/. > > I. Background > > The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) > used to synchronize the time of a computer system to a reference time > source. > > II. Problem Description > > Crypto-NAK packets can be used to cause ntpd(8) to accept time from an > unauthenticated ephemeral symmetric peer by bypassing the authentication > required to mobilize peer associations. [CVE-2015-7871] FreeBSD 9.3 and > 10.1 are not affected. > > If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusual > long data value where a network address is expected, the decodenetnum() > function will abort with an assertion failure instead of simply returning > a failure condition. [CVE-2015-7855] > > If ntpd(8) is configured to allow remote configuration, and if the > (possibly spoofed) source IP address is allowed to send remote > configuration requests, and if the attacker knows the remote > configuration password or if ntpd(8) was configured to disable > authentication, then an attacker can send a set of packets to ntpd(8) that > may cause it to crash, with the hypothetical possibility of a small code > injection. [CVE-2015-7854] > > A negative value for the datalen parameter will overflow a data buffer. > NTF's ntpd(8) driver implementations always set this value to 0 and are > therefore not vulnerable to this weakness. If you are running a custom > refclock driver in ntpd(8) and that driver supplies a negative value for > datalen (no custom driver of even minimal competence would do this) > then ntpd would overflow a data buffer. It is even hypothetically > possible in this case that instead of simply crashing ntpd the > attacker could effect a code injection attack. [CVE-2015-7853] > > If an attacker can figure out the precise moment that ntpq(8) is listening > for data and the port number it is listening on or if the attacker can > provide a malicious instance ntpd(8) that victims will connect to then an > attacker can send a set of crafted mode 6 response packets that, if > received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852] > > If ntpd(8) is configured to allow remote configuration, and if the > (possibly spoofed) IP address is allowed to send remote configuration > requests, and if the attacker knows the remote configuration password > or if ntpd(8) was configured to disable authentication, then an attacker > can send a set of packets to ntpd that may cause ntpd(8) to overwrite > files. [CVE-2015-7851]. The default configuration of ntpd(8) within > FreeBSD does not allow remote configuration. > > If ntpd(8) is configured to allow remote configuration, and if the > (possibly spoofed) source IP address is allowed to send remote > configuration requests, and if the attacker knows the remote > configuration password or if ntpd(8) was configured to disable > authentication, then an attacker can send a set of packets to ntpd > that will cause it to crash and/or create a potentially huge log > file. Specifically, the attacker could enable extended logging, > point the key file at the log file, and cause what amounts to an > infinite loop. [CVE-2015-7850]. The default configuration of ntpd(8) > within FreeBSD does not allow remote configuration. > > If ntpd(8) is configured to allow remote configuration, and if the > (possibly spoofed) source IP address is allowed to send remote > configuration requests, and if the attacker knows the remote > configuration password or if ntpd was configured to disable > authentication, then an attacker can send a set of packets to > ntpd that may cause a crash or theoretically perform a code > injection attack. [CVE-2015-7849]. The default configuration of ntpd(8) > within FreeBSD does not allow remote configuration. > > If ntpd(8) is configured to enable mode 7 packets, and if the use > of mode 7 packets is not properly protected thru the use of the > available mode 7 authentication and restriction mechanisms, and > if the (possibly spoofed) source IP address is allowed to send > mode 7 queries, then an attacker can send a crafted packet to > ntpd that will cause it to crash. [CVE-2015-7848]. The default > configuration of ntpd(8) within FreeBSD does not allow mode 7 > packets. > > If ntpd(8) is configured to use autokey, then an attacker can send > packets to ntpd that will, after several days of ongoing attack, > cause it to run out of memory. [CVE-2015-7701]. The default > configuration of ntpd(8) within FreeBSD does not use autokey. > > If ntpd(8) is configured to allow for remote configuration, and if > the (possibly spoofed) source IP address is allowed to send > remote configuration requests, and if the attacker knows the > remote configuration password, it's possible for an attacker > to use the "pidfile" or "driftfile" directives to potentially > overwrite other files. [CVE-2015-5196]. The default configuration > of ntpd(8) within FreeBSD does not allow remote configuration > > An ntpd(8) client that honors Kiss-of-Death responses will honor > KoD messages that have been forged by an attacker, causing it > to delay or stop querying its servers for time updates. Also, > an attacker can forge packets that claim to be from the target > and send them to servers often enough that a server that > implements KoD rate limiting will send the target machine a > KoD response to attempt to reduce the rate of incoming packets, > or it may also trigger a firewall block at the server for > packets from the target machine. For either of these attacks > to succeed, the attacker must know what servers the target > is communicating with. An attacker can be anywhere on the > Internet and can frequently learn the identity of the target's > time source by sending the target a time query. [CVE-2015-7704] > > The fix for CVE-2014-9750 was incomplete in that there were > certain code paths where a packet with particular autokey > operations that contained malicious data was not always being > completely validated. Receipt of these packets can cause ntpd > to crash. [CVE-2015-7702]. The default configuration of ntpd(8) > within FreeBSD does not use autokey. > > III. Impact > > An attacker which can send NTP packets to ntpd(8), which uses cryptographic > authentication of NTP data, may be able to inject malicious time data > causing the system clock to be set incorrectly. [CVE-2015-7871] > > An attacker which can send NTP packets to ntpd(8), can block the > communication of the daemon with time servers, causing the system > clock not being synchronized. [CVE-2015-7704] > > An attacker which can send NTP packets to ntpd(8), can remotely crash > the daemon, sending malicious data packet. [CVE-2015-7855] [CVE-2015-7854] > [CVE-2015-7853] [CVE-2015-7852] [CVE-2015-7849] [CVE-2015-7848] > > An attacker which can send NTP packets to ntpd(8), can remotely > trigger the daemon to overwrite its configuration files. [CVE-2015-7851] > [CVE-2015-5196] > > IV. Workaround > > No workaround is available, but systems not running ntpd(8) are not > affected. Network administrators are advised to implement BCP-38, > which helps to reduce risk associated with the attacks. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > The ntpd service has to be restarted after the update. A reboot is > recommended but not required. > > 2) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > The ntpd service has to be restarted after the update. A reboot is > recommended but not required. > > 3) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 10.2] > # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.bz2 > # bunzip2 ntp-102.patch.bz2 > # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.asc > # gpg --verify ntp-102.patch.asc > > [FreeBSD 10.1] > # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.bz2 > # bunzip2 ntp-101.patch.bz2 > # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.asc > # gpg --verify ntp-101.patch.asc > > [FreeBSD 9.3] > # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.bz2 > # bunzip2 ntp-93.patch.bz2 > # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.asc > # gpg --verify ntp-93.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # find contrib/ntp -type f -empty -delete > > c) Recompile the operating system using buildworld and installworld as > described in https://www.FreeBSD.org/handbook/makeworld.html. > > d) For 9.3-RELEASE and 10.1-RELEASE an update to /etc/ntp.conf is recommended, > which can be done with help of the mergemaster(8) tool on 9.3-RELEASE and > with help of the etcupdate(8) tool on 10.1-RELEASE. > > Restart the ntpd(8) daemon, or reboot the system. > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > - ------------------------------------------------------------------------- > stable/9/ r289998 > releng/9.3/ r290001 > stable/10/ r289997 > releng/10.1/ r290000 > releng/10.2/ r289999 > - ------------------------------------------------------------------------- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN > > VII. References > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871 > > The latest revision of this advisory is available at > https://security.FreeBSD.org/advisories/FreeBSD-SA-15:25.ntp.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBAgAGBQJWLhOJAAoJEO1n7NZdz2rn91wP/2GwEt1boNQq2a7nYzv/mS5D > sYKkIi7o+2yr2BLXvtc3O7c9QC3/YeGsza9DTRqndcY572SWvRgtkFstMTTm8IV/ > RVlIE40gVR3tex0zo7BiD7uKUrxWxWcpwMbE5dzlE+vSybyyj0dSSkwUHJjrbJoA > RmyNuEEUhQn5sRCg6qJv/PLp2G7BcYAasKScukjm7QnLP2kq/tvM9mcqwfh2tadM > 7kbf8uq+ykvsRzctaDnxQaB5+zJxBQYJjBelxQfIkNek0XGfdj3sRwISeFznbllq > mOLTIBaFiuEtHtusO7MKKavMgS5CQJOvuuvd/l3NY1MnxC6X/1SWig9KIKDIn/hv > q8dsnq7LLx+tO6Cv4Dub7EbC2ZP3xXGOC4Ie02z8bTZnbX7iwyPUidQQqtU9ra15 > rxzFcZnBxu+yyMNJVsV2qVV/r9OycgKxWlEELC1wYrK9fKfvLdA5aEGjDeU1Z+s6 > JS2zKr0t4F2bMrCsjYP1lQD8sHkCVjwJk+IJU/slcwSajDjBNlMH0yBxGYE1ETIZ > qMF7/PAkLe8V78pdYmXw9pcaPyhI+ihPLnNrdhX8AI2RX5jDK7IuUNJeUM04UrVB > 8N+mMwgamcuCPWNNyXaL0bz21fexZOuhHmU+B8Yn3SFX5O5b/r9gGvrjo8ei8jOk > EUlBT3ViDhHNrI7PTaiI > =djPm > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org" >