Date: Tue, 13 Jan 2009 22:51:38 +0000 From: Harlan Stenn <stenn@ntp.org> To: freebsd-security@freebsd.org Cc: stenn@ntp.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-09:03.ntpd Message-ID: <20090113225153.15B3F39F24@mail1.ntp.org> In-Reply-To: FreeBSD Security Advisories's (security-advisories@freebsd.org) message dated Tue, 13 Jan 2009 22:33:20. <200901132233.n0DMXKVI055218@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Good news/bad news. The good news is that I like to think I did a better job describing this problem than I have done in the past. The bad news is that I think I did a pretty sucky job of describing this problem in our report. Y'all did a much better job of this than I did. The NTP Project has had maybe 3 of these sort of issues in the past 15+ years, so I don't have much experience in dealing with writing the announcements. Might I be able to work with y'all on any future similar security advisories so our security announcements are better? H -- Harlan Stenn <stenn@ntp.org> http://ntpforum.isc.org - be a member! > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-09:03.ntpd Security Advisory > The FreeBSD Project > > Topic: ntpd cryptographic signature bypass > > Category: contrib > Module: ntpd > Announced: 2009-01-13 > Credits: Google Security Team > Affects: All FreeBSD releases > Corrected: 2009-01-13 21:19:27 UTC (RELENG_7, 7.1-STABLE) > 2009-01-13 21:19:27 UTC (RELENG_7_1, 7.1-RELEASE-p2) > 2009-01-13 21:19:27 UTC (RELENG_7_0, 7.0-RELEASE-p9) > 2009-01-13 21:19:27 UTC (RELENG_6, 6.4-STABLE) > 2009-01-13 21:19:27 UTC (RELENG_6_4, 6.4-RELEASE-p3) > 2009-01-13 21:19:27 UTC (RELENG_6_3, 6.3-RELEASE-p9) > CVE Name: CVE-2009-0021 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:http://security.FreeBSD.org/>. > > I. Background > > The ntpd daemon is an implementation of the Network Time Protocol > (NTP) used to synchronize the time of a computer system to a reference > time source. > > FreeBSD includes software from the OpenSSL Project. The OpenSSL > Project is a collaborative effort to develop a robust, > commercial-grade, full-featured Open Source toolkit implementing the > Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) > protocols as well as a full-strength general purpose cryptography > library. > > II. Problem Description > > The EVP_VerifyFinal() function from OpenSSL is used to determine if a > digital signature is valid. When ntpd(8) is set to cryptographically > authenticate NTP data it incorrectly checks the return value from > EVP_VerifyFinal(). > > III. Impact > > An attacker which can send NTP packets to ntpd, which uses > cryptographic authentication of NTP data, may be able to inject > malicious time data causing the system clock to be set incorrectly. > > IV. Workaround > > Use IP based restrictions in ntpd itself or in IP firewalls to > restrict which systems can send NTP packets to ntpd. > > NOTE WELL: If ntpd is not explicitly set to use cryptographic > authentication of NTP data the setup is not vulnerable to the issue > as described in this Security Advisory. > > V. Solution > > NOTE WELL: Due to an error in building the updates, this fix is not > available via freebsd-update at the time of this advisory. We expect > that this will be fixed within the next 48 hours. > > Perform one of the following: > > 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the > RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch > dated after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 6.3, 6.4, > 7.0, and 7.1 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 6.4 and 7.1] > # fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd.patch > # fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd.patch.asc > > [FreeBSD 6.3 and 7.0] > # fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd63.patch > # fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd63.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/usr.sbin/ntp/ntpd > # make obj && make depend && make && make install > # /etc/rc.d/ntpd restart > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_6 > src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.8.2 > RELENG_6_4 > src/UPDATING 1.416.2.40.2.6 > src/sys/conf/newvers.sh 1.69.2.18.2.9 > src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.8.1.2.1 > RELENG_6_3 > src/UPDATING 1.416.2.37.2.14 > src/sys/conf/newvers.sh 1.69.2.15.2.13 > src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.20.1 > RELENG_7 > src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.18.2 > RELENG_7_1 > src/UPDATING 1.507.2.13.2.5 > src/sys/conf/newvers.sh 1.72.2.9.2.6 > src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.18.1.2.1 > RELENG_7_0 > src/UPDATING 1.507.2.3.2.13 > src/sys/conf/newvers.sh 1.72.2.5.2.13 > src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.22.1 > - ------------------------------------------------------------------------- > > Subversion: > > Branch/path Revision > - ------------------------------------------------------------------------- > stable/6/ r187194 > releng/6.4/ r187194 > releng/6.3/ r187194 > stable/7/ r187194 > releng/7.1/ r187194 > releng/7.0/ r187194 > - ------------------------------------------------------------------------- > > VII. References > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0021 > http://security.FreeBSD.org/advisories/FreeBSD-SA-09:02.openssl.asc > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-09:03.ntpd.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (FreeBSD) > > iD8DBQFJbRUfFdaIBMps37IRAqdjAJ42YSH0bjaAJBEVyMM7/em/tu0xUQCfVPrs > IrH0Qxo4slvboQHsy1PbkN4= > =Q4rn > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090113225153.15B3F39F24>