From owner-freebsd-security@FreeBSD.ORG Tue Jan 13 23:16:29 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EEA8510658C5 for ; Tue, 13 Jan 2009 23:16:29 +0000 (UTC) (envelope-from stenn@ntp.org) Received: from mail1.ntp.org (mail1.ntp.org [204.152.184.126]) by mx1.freebsd.org (Postfix) with ESMTP id C166B8FC22 for ; Tue, 13 Jan 2009 23:16:29 +0000 (UTC) (envelope-from stenn@ntp.org) Received: from localhost (localhost [127.0.0.1]) by mail1.ntp.org (Postfix) with ESMTP id 15B3F39F24; Tue, 13 Jan 2009 22:51:53 +0000 (UTC) (envelope-from stenn@ntp1.ntp.org) Received: from mail1.ntp.org ([127.0.0.1]) by localhost (ntp1.isc.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03148-09; Tue, 13 Jan 2009 22:51:40 +0000 (UTC) Received: from ntp1.ntp.org (localhost [127.0.0.1]) by mail1.ntp.org (Postfix) with ESMTP; Tue, 13 Jan 2009 22:51:39 +0000 (UTC) (envelope-from stenn@ntp1.ntp.org) To: freebsd-security@freebsd.org From: Harlan Stenn In-Reply-To: FreeBSD Security Advisories's (security-advisories@freebsd.org) message dated Tue, 13 Jan 2009 22:33:20. <200901132233.n0DMXKVI055218@freefall.freebsd.org> X-Face: "csXK}xnnsH\h_ce`T#|pM]tG, 6Xu.{3Rb\]&XJgVyTS'w{E+|-(}n:c(Cc* $cbtusxDP6T)Hr'k&zrwq0.3&~bAI~YJco[r.mE+K|(q]F=ZNXug:s6tyOk{VTqARy0#axm6BWti9C d X-Mailer: MH-E 7.4.2; nmh 1.0.4; XEmacs 21.4 (patch 14) Mime-Version: 1.0 (generated by tm-edit 1.8) Content-Type: text/plain; charset=US-ASCII Date: Tue, 13 Jan 2009 22:51:38 +0000 Sender: stenn@ntp.org X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on ntp1.isc.org Message-Id: <20090113225153.15B3F39F24@mail1.ntp.org> X-Mailman-Approved-At: Tue, 13 Jan 2009 23:45:05 +0000 Cc: stenn@ntp.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-09:03.ntpd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2009 23:16:32 -0000 Good news/bad news. The good news is that I like to think I did a better job describing this problem than I have done in the past. The bad news is that I think I did a pretty sucky job of describing this problem in our report. Y'all did a much better job of this than I did. The NTP Project has had maybe 3 of these sort of issues in the past 15+ years, so I don't have much experience in dealing with writing the announcements. Might I be able to work with y'all on any future similar security advisories so our security announcements are better? H -- Harlan Stenn http://ntpforum.isc.org - be a member! > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-09:03.ntpd Security Advisory > The FreeBSD Project > > Topic: ntpd cryptographic signature bypass > > Category: contrib > Module: ntpd > Announced: 2009-01-13 > Credits: Google Security Team > Affects: All FreeBSD releases > Corrected: 2009-01-13 21:19:27 UTC (RELENG_7, 7.1-STABLE) > 2009-01-13 21:19:27 UTC (RELENG_7_1, 7.1-RELEASE-p2) > 2009-01-13 21:19:27 UTC (RELENG_7_0, 7.0-RELEASE-p9) > 2009-01-13 21:19:27 UTC (RELENG_6, 6.4-STABLE) > 2009-01-13 21:19:27 UTC (RELENG_6_4, 6.4-RELEASE-p3) > 2009-01-13 21:19:27 UTC (RELENG_6_3, 6.3-RELEASE-p9) > CVE Name: CVE-2009-0021 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > The ntpd daemon is an implementation of the Network Time Protocol > (NTP) used to synchronize the time of a computer system to a reference > time source. > > FreeBSD includes software from the OpenSSL Project. The OpenSSL > Project is a collaborative effort to develop a robust, > commercial-grade, full-featured Open Source toolkit implementing the > Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) > protocols as well as a full-strength general purpose cryptography > library. > > II. Problem Description > > The EVP_VerifyFinal() function from OpenSSL is used to determine if a > digital signature is valid. When ntpd(8) is set to cryptographically > authenticate NTP data it incorrectly checks the return value from > EVP_VerifyFinal(). > > III. Impact > > An attacker which can send NTP packets to ntpd, which uses > cryptographic authentication of NTP data, may be able to inject > malicious time data causing the system clock to be set incorrectly. > > IV. Workaround > > Use IP based restrictions in ntpd itself or in IP firewalls to > restrict which systems can send NTP packets to ntpd. > > NOTE WELL: If ntpd is not explicitly set to use cryptographic > authentication of NTP data the setup is not vulnerable to the issue > as described in this Security Advisory. > > V. Solution > > NOTE WELL: Due to an error in building the updates, this fix is not > available via freebsd-update at the time of this advisory. We expect > that this will be fixed within the next 48 hours. > > Perform one of the following: > > 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the > RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch > dated after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 6.3, 6.4, > 7.0, and 7.1 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 6.4 and 7.1] > # fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd.patch > # fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd.patch.asc > > [FreeBSD 6.3 and 7.0] > # fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd63.patch > # fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd63.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/usr.sbin/ntp/ntpd > # make obj && make depend && make && make install > # /etc/rc.d/ntpd restart > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_6 > src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.8.2 > RELENG_6_4 > src/UPDATING 1.416.2.40.2.6 > src/sys/conf/newvers.sh 1.69.2.18.2.9 > src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.8.1.2.1 > RELENG_6_3 > src/UPDATING 1.416.2.37.2.14 > src/sys/conf/newvers.sh 1.69.2.15.2.13 > src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.20.1 > RELENG_7 > src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.18.2 > RELENG_7_1 > src/UPDATING 1.507.2.13.2.5 > src/sys/conf/newvers.sh 1.72.2.9.2.6 > src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.18.1.2.1 > RELENG_7_0 > src/UPDATING 1.507.2.3.2.13 > src/sys/conf/newvers.sh 1.72.2.5.2.13 > src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.22.1 > - ------------------------------------------------------------------------- > > Subversion: > > Branch/path Revision > - ------------------------------------------------------------------------- > stable/6/ r187194 > releng/6.4/ r187194 > releng/6.3/ r187194 > stable/7/ r187194 > releng/7.1/ r187194 > releng/7.0/ r187194 > - ------------------------------------------------------------------------- > > VII. References > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0021 > http://security.FreeBSD.org/advisories/FreeBSD-SA-09:02.openssl.asc > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-09:03.ntpd.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (FreeBSD) > > iD8DBQFJbRUfFdaIBMps37IRAqdjAJ42YSH0bjaAJBEVyMM7/em/tu0xUQCfVPrs > IrH0Qxo4slvboQHsy1PbkN4= > =Q4rn > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"