Date: Wed, 7 Mar 2018 11:50:00 +0000 From: David Chisnall <theraven@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:02.ntp Message-ID: <3E55483F-40C9-478D-8539-B5B6C3C60FEA@FreeBSD.org> In-Reply-To: <20180307071008.B1366447B@freefall.freebsd.org> References: <20180307071008.B1366447B@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Were these changes and the kernel changes tested together on Xen? After = updating to -p7, I get about 10 seconds of uptime on a Xen VM before the = kernel panics with a double fault and reboots. Disabling ntpd results = in a stable system. On an AMD system without a hypervisor, I don=E2=80=99= t see any instability. David > On 7 Mar 2018, at 07:10, FreeBSD Security Advisories = <security-advisories@freebsd.org> wrote: >=20 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D > FreeBSD-SA-18:02.ntp Security = Advisory > The FreeBSD = Project >=20 > Topic: Multiple vulnerabilities of ntp >=20 > Category: contrib > Module: ntp > Announced: 2018-03-07 > Credits: Network Time Foundation > Affects: All supported versions of FreeBSD. > Corrected: 2018-02-28 09:01:03 UTC (stable/11, 11.1-STABLE) > 2018-03-07 05:58:24 UTC (releng/11.1, 11.1-RELEASE-p7) > 2018-03-01 04:06:49 UTC (stable/10, 10.4-STABLE) > 2018-03-07 05:58:24 UTC (releng/10.4, 10.4-RELEASE-p6) > 2018-03-07 05:58:24 UTC (releng/10.3, 10.3-RELEASE-p27) > CVE Name: CVE-2018-7182, CVE-2018-7170, CVE-2018-7184, = CVE-2018-7185, > CVE-2018-7183 >=20 > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:https://security.FreeBSD.org/>. >=20 > I. Background >=20 > The ntpd(8) daemon is an implementation of the Network Time Protocol = (NTP) > used to synchronize the time of a computer system to a reference time > source. >=20 > II. Problem Description >=20 > The ctl_getitem() function is used by ntpd(8) to process incoming = "mode 6" > packets. A malicious "mode 6" packet can be sent to an ntpd instance, = and > if the ntpd instance is from 4.2.8p6 through 4.2.8p10, ctl_getitem() = will > read past the end of its buffer. [CVE-2018-7182] >=20 > The ntpd(8) service can be vulnerable to Sybil attacks. If a system = is > configured to use a trustedkey and if one is not using the feature = introduced > in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to = specify > which IPs can serve time, a malicious authenticated peer, i.e., one = where the > attacker knows the private symmetric key, can create arbitrarily-many > ephemeral associations in order to win the clock selection of ntpd and = modify > a victim's clock. [CVE-2018-7170] >=20 > The fix for NtpBug2952 was incomplete, and while it fixed one problem = it > created another. Specifically, it drops bad packets before updating = the > "received" timestamp. This means a third-party can inject a packet = with > a zero-origin timestamp, meaning the sender wants to reset the = association, > and the transmit timestamp in this bogus packet will be saved as the = most > recent "received" timestamp. The real remote peer does not know this > value and this will disrupt the association until the association = resets. > [CVE-2018-7184] >=20 > The NTP Protocol allows for both non-authenticated and authenticated > associations, in client/server, symmetric (peer), and several = broadcast > modes. In addition to the basic NTP operational modes, symmetric mode = and > broadcast servers can support an interleaved mode of operation. In > ntp-4.2.8p4, a bug was inadvertently introduced into the protocol = engine that > allows a non-authenticated zero-origin (reset) packet to reset an > authenticated interleaved peer association. If an attacker can send a = packet > with a zero-origin timestamp and the source IP address of the "other = side" of > an interleaved association, the 'victim' ntpd will reset its = association. > The attacker must continue sending these packets in order to maintain = the > disruption of the association. [CVE-2018-7185] >=20 > The ntpq(8) utility is a monitoring and control program for ntpd. The > internal decodearr() function of ntpq(8) that is used to decode an = array in > a response string when formatted data is being displayed. This is a = problem > in affected versions of ntpq if a maliciously-altered ntpd returns an = array > result that will trip this bug, or if a bad actor is able to read an = ntpq(8) > request on its way to a remote ntpd server and forge and send a = response > before the remote ntpd sends its response. It is potentially possible = that > the malicious data could become injectable/executable code. = [CVE-2017-7183] >=20 > III. Impact >=20 > Malicious remote attackers may be able to break time synchornization, > or cause the ntpq(8) utility to crash. >=20 > IV. Workaround >=20 > No workaround is available, but systems not running ntpd(8) or ntpq(8) = are > not affected. Network administrators are advised to implement BCP-38 = which > helps to reduce risk associated with the attacks. >=20 > V. Solution >=20 > Perform one of the following: >=20 > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. >=20 > The ntpd service has to be restarted after the update. A reboot is > recommended but not required. >=20 > 2) To update your vulnerable system via a binary patch: >=20 > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: >=20 > # freebsd-update fetch > # freebsd-update install >=20 > The ntpd service has to be restarted after the update. A reboot is > recommended but not required. >=20 > 3) To update your vulnerable system via a source code patch: >=20 > The following patches have been verified to apply to the applicable > FreeBSD release branches. >=20 > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. >=20 > [FreeBSD 11.1] > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch > # fetch = https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch.asc > # gpg --verify ntp-11.1.patch.asc >=20 > [FreeBSD 10.4] > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch > # fetch = https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch.asc > # gpg --verify ntp-10.4.patch.asc >=20 > [FreeBSD 10.3] > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch > # fetch = https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch.asc > # gpg --verify ntp-10.3.patch.asc >=20 > b) Apply the patch. Execute the following commands as root: >=20 > # cd /usr/src > # patch < /path/to/patch >=20 > c) Recompile the operating system using buildworld and installworld as > described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. >=20 > Restart the applicable daemons, or reboot the system. >=20 > VI. Correction details >=20 > The following list contains the correction revision numbers for each > affected branch. >=20 > Branch/path = Revision > - = ------------------------------------------------------------------------- > stable/10/ = r330141 > releng/10.3/ = r330567 > releng/10.4/ = r330567 > stable/11/ = r330106 > releng/11.1/ = r330567 > - = ------------------------------------------------------------------------- >=20 > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: >=20 > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >=20 > Or visit the following URL, replacing NNNNNN with the revision number: >=20 > <URL:https://svnweb.freebsd.org/base?view=3Drevision&revision=3DNNNNNN>; >=20 > VII. References >=20 > = <URL:http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp= _4_2_8p11_NTP_S> >=20 > <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-7182>; >=20 > <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-7170>; >=20 > <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-7184>; >=20 > <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-7185>; >=20 > <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-7183>; >=20 > The latest revision of this advisory is available at > <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:02.ntp.asc>; > -----BEGIN PGP SIGNATURE----- >=20 > iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhYNfFIAAAAAALgAo > aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD > MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n > 5cL9GQ/+PLffyegsvxKngL83XWG9UuHbcGG5aWbNwCecTEzNoCI72TI03aga0ge5 > iLz5kW3SQvl8tsq778U4YbfFcCw6ifq2ws8asqNviv+u4AcJh7oD8CS3/kFuA9xM > zjAIrScdNR2taBJhBW3nwlb7RmDeKqydQ3OIxHVvs9Fj5Alc5ZEGezUjC2dueB+M > UdORg6GvHGMYQ+4AtBFRgZHAU3BFkwmgqsIICywYnUVH+AxKj34shs/pMMeJd/d9 > a+BIu/tUjAIlQp23VunNAfq7r2eZik9LOV8Y5l1Ww7+K1IwlwezxI+Iw18BMFEVn > L9baBY9RFh8v/yrZCBqUc7Prhs3ExU/lnAb05Va7TYeD4RXVmSU0jNXi/przN3y2 > PR7Z3JCm60mFKyp0/Hz2MmS1XPBVBrW4P6g9hH8TZmOHb2mZlK3zDXmil7HKp5DK > UhtMJpPEWV9k5rfP8iijHJnwkPr0ALntMUAAKUyw/6isVtHT6BZLaYsZvRYIm8YY > Mn2RUl74m+XoIhQ8R4mxRcaAHwKKXyeyP5nlAs6TQVb9QJukoRiNDr3g8TwbtT54 > iTswVu+z/a89/YIwJoc6Ud7eCZSDYe6qfuC19TVuledayjjy/ZPMH0ZkNWFWJ3AE > VAvdyvoUuNbmsv42o4AUtpE/1CmDqOjwBRZZbtV4CONCDFpk26o=3D > =3DD2ov > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to = "freebsd-announce-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E55483F-40C9-478D-8539-B5B6C3C60FEA>