Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 26 Oct 2015 12:04:07 +0000 (UTC)
From:      Gleb Smirnoff <glebius@FreeBSD.org>
To:        doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org
Subject:   svn commit: r47672 - in head/share/security: advisories patches/SA-15:25
Message-ID:  <201510261204.t9QC47PR053895@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: glebius (src committer)
Date: Mon Oct 26 12:04:07 2015
New Revision: 47672
URL: https://svnweb.freebsd.org/changeset/doc/47672

Log:
  Upgrade NTP to 4.2.8p4.
  
  Security:	FreeBSD-SA-15:25.ntp
  Approved by:	so

Added:
  head/share/security/advisories/FreeBSD-SA-15:25.ntp.asc   (contents, props changed)
  head/share/security/patches/SA-15:25/
  head/share/security/patches/SA-15:25/ntp-101.patch.asc   (contents, props changed)
  head/share/security/patches/SA-15:25/ntp-101.patch.bz2   (contents, props changed)
  head/share/security/patches/SA-15:25/ntp-102.patch.asc   (contents, props changed)
  head/share/security/patches/SA-15:25/ntp-102.patch.bz2   (contents, props changed)
  head/share/security/patches/SA-15:25/ntp-93.patch.asc   (contents, props changed)
  head/share/security/patches/SA-15:25/ntp-93.patch.bz2   (contents, props changed)

Added: head/share/security/advisories/FreeBSD-SA-15:25.ntp.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:25.ntp.asc	Mon Oct 26 12:04:07 2015	(r47672)
@@ -0,0 +1,285 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-15:25.ntp                                        Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Multiple vulnerabilities of ntp
+
+Category:       contrib
+Module:         ntp
+Announced:      2015-10-26
+Credits:        Network Time Foundation
+Affects:        All supported versions of FreeBSD.
+Corrected:      2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE)
+                2015-10-26 11:36:55 UTC (releng/10.2, 10.2-RELEASE-p6)
+                2015-10-26 11:37:31 UTC (releng/10.1, 10.1-RELEASE-p23)
+                2015-10-26 11:36:40 UTC (stable/9, 9.3-STABLE)
+                2015-10-26 11:42:25 UTC (releng/9.3, 9.3-RELEASE-p29)
+CVE Name:       CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704,
+                CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851,
+                CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855,
+                CVE-2015-7871
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit https://security.FreeBSD.org/.
+
+I.   Background
+
+The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
+used to synchronize the time of a computer system to a reference time
+source.
+
+II.  Problem Description
+
+Crypto-NAK packets can be used to cause ntpd(8) to accept time from an
+unauthenticated ephemeral symmetric peer by bypassing the authentication
+required to mobilize peer associations. [CVE-2015-7871] FreeBSD 9.3 and
+10.1 are not affected.
+
+If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusual
+long data value where a network address is expected, the decodenetnum()
+function will abort with an assertion failure instead of simply returning
+a failure condition. [CVE-2015-7855]
+
+If ntpd(8) is configured to allow remote configuration, and if the
+(possibly spoofed) source IP address is allowed to send remote
+configuration requests, and if the attacker knows the remote
+configuration password or if ntpd(8) was configured to disable
+authentication, then an attacker can send a set of packets to ntpd(8) that
+may cause it to crash, with the hypothetical possibility of a small code
+injection. [CVE-2015-7854]
+
+A negative value for the datalen parameter will overflow a data buffer.
+NTF's ntpd(8) driver implementations always set this value to 0 and are
+therefore not vulnerable to this weakness. If you are running a custom
+refclock driver in ntpd(8) and that driver supplies a negative value for
+datalen (no custom driver of even minimal competence would do this)
+then ntpd would overflow a data buffer. It is even hypothetically
+possible in this case that instead of simply crashing ntpd the
+attacker could effect a code injection attack. [CVE-2015-7853]
+
+If an attacker can figure out the precise moment that ntpq(8) is listening
+for data and the port number it is listening on or if the attacker can
+provide a malicious instance ntpd(8) that victims will connect to then an
+attacker can send a set of crafted mode 6 response packets that, if
+received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852]
+
+If ntpd(8) is configured to allow remote configuration, and if the
+(possibly spoofed) IP address is allowed to send remote configuration
+requests, and if the attacker knows the remote configuration password
+or if ntpd(8) was configured to disable authentication, then an attacker
+can send a set of packets to ntpd that may cause ntpd(8) to overwrite
+files. [CVE-2015-7851].  The default configuration of ntpd(8) within
+FreeBSD does not allow remote configuration.
+
+If ntpd(8) is configured to allow remote configuration, and if the
+(possibly spoofed) source IP address is allowed to send remote
+configuration requests, and if the attacker knows the remote
+configuration password or if ntpd(8) was configured to disable
+authentication, then an attacker can send a set of packets to ntpd
+that will cause it to crash and/or create a potentially huge log
+file.  Specifically, the attacker could enable extended logging,
+point the key file at the log file, and cause what amounts to an
+infinite loop. [CVE-2015-7850].  The default configuration of ntpd(8)
+within FreeBSD does not allow remote configuration.
+
+If ntpd(8) is configured to allow remote configuration, and if the
+(possibly spoofed) source IP address is allowed to send remote
+configuration requests, and if the attacker knows the remote
+configuration password or if ntpd was configured to disable
+authentication, then an attacker can send a set of packets to
+ntpd that may cause a crash or theoretically perform a code
+injection attack. [CVE-2015-7849].  The default configuration of ntpd(8)
+within FreeBSD does not allow remote configuration.
+
+If ntpd(8) is configured to enable mode 7 packets, and if the use
+of mode 7 packets is not properly protected thru the use of the
+available mode 7 authentication and restriction mechanisms, and
+if the (possibly spoofed) source IP address is allowed to send
+mode 7 queries, then an attacker can send a crafted packet to
+ntpd that will cause it to crash. [CVE-2015-7848].  The default
+configuration of ntpd(8) within FreeBSD does not allow mode 7
+packets.
+
+If ntpd(8) is configured to use autokey, then an attacker can send
+packets to ntpd that will, after several days of ongoing attack,
+cause it to run out of memory. [CVE-2015-7701].  The default
+configuration of ntpd(8) within FreeBSD does not use autokey.
+
+If ntpd(8) is configured to allow for remote configuration, and if
+the (possibly spoofed) source IP address is allowed to send
+remote configuration requests, and if the attacker knows the
+remote configuration password, it's possible for an attacker
+to use the "pidfile" or "driftfile" directives to potentially
+overwrite other files. [CVE-2015-5196].  The default configuration
+of ntpd(8) within FreeBSD does not allow remote configuration
+
+An ntpd(8) client that honors Kiss-of-Death responses will honor
+KoD messages that have been forged by an attacker, causing it
+to delay or stop querying its servers for time updates. Also,
+an attacker can forge packets that claim to be from the target
+and send them to servers often enough that a server that
+implements KoD rate limiting will send the target machine a
+KoD response to attempt to reduce the rate of incoming packets,
+or it may also trigger a firewall block at the server for
+packets from the target machine. For either of these attacks
+to succeed, the attacker must know what servers the target
+is communicating with. An attacker can be anywhere on the
+Internet and can frequently learn the identity of the target's
+time source by sending the target a time query. [CVE-2015-7704]
+
+The fix for CVE-2014-9750 was incomplete in that there were
+certain code paths where a packet with particular autokey
+operations that contained malicious data was not always being
+completely validated. Receipt of these packets can cause ntpd
+to crash. [CVE-2015-7702].  The default configuration of ntpd(8)
+within FreeBSD does not use autokey.
+
+III. Impact
+
+An attacker which can send NTP packets to ntpd(8), which uses cryptographic
+authentication of NTP data, may be able to inject malicious time data
+causing the system clock to be set incorrectly. [CVE-2015-7871]
+
+An attacker which can send NTP packets to ntpd(8), can block the
+communication of the daemon with time servers, causing the system
+clock not being synchronized. [CVE-2015-7704]
+
+An attacker which can send NTP packets to ntpd(8), can remotely crash
+the daemon, sending malicious data packet. [CVE-2015-7855] [CVE-2015-7854]
+[CVE-2015-7853] [CVE-2015-7852] [CVE-2015-7849] [CVE-2015-7848]
+
+An attacker which can send NTP packets to ntpd(8), can remotely
+trigger the daemon to overwrite its configuration files. [CVE-2015-7851]
+[CVE-2015-5196]
+
+IV.  Workaround
+
+No workaround is available, but systems not running ntpd(8) are not
+affected.  Network administrators are advised to implement BCP-38,
+which helps to reduce risk associated with the attacks.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+The ntpd service has to be restarted after the update.  A reboot is
+recommended but not required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+The ntpd service has to be restarted after the update.  A reboot is
+recommended but not required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.2]
+# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.bz2
+# bunzip2 ntp-102.patch.bz2
+# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.asc
+# gpg --verify ntp-102.patch.asc
+
+[FreeBSD 10.1]
+# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.bz2
+# bunzip2 ntp-101.patch.bz2
+# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.asc
+# gpg --verify ntp-101.patch.asc
+
+[FreeBSD 9.3]
+# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.bz2
+# bunzip2 ntp-93.patch.bz2
+# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.asc
+# gpg --verify ntp-93.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+# find contrib/ntp -type f -empty -delete
+
+c) Recompile the operating system using buildworld and installworld as
+described in https://www.FreeBSD.org/handbook/makeworld.html.
+
+d) For 9.3-RELEASE and 10.1-RELEASE an update to /etc/ntp.conf is recommended,
+which can be done with help of the mergemaster(8) tool on 9.3-RELEASE and
+with help of the etcupdate(8) tool on 10.1-RELEASE.
+
+Restart the ntpd(8) daemon, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r289998
+releng/9.3/                                                       r290001
+stable/10/                                                        r289997
+releng/10.1/                                                      r290000
+releng/10.2/                                                      r289999
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN
+
+VII. References
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871
+
+The latest revision of this advisory is available at
+https://security.FreeBSD.org/advisories/FreeBSD-SA-15:25.ntp.asc
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQIcBAEBAgAGBQJWLhOJAAoJEO1n7NZdz2rn91wP/2GwEt1boNQq2a7nYzv/mS5D
+sYKkIi7o+2yr2BLXvtc3O7c9QC3/YeGsza9DTRqndcY572SWvRgtkFstMTTm8IV/
+RVlIE40gVR3tex0zo7BiD7uKUrxWxWcpwMbE5dzlE+vSybyyj0dSSkwUHJjrbJoA
+RmyNuEEUhQn5sRCg6qJv/PLp2G7BcYAasKScukjm7QnLP2kq/tvM9mcqwfh2tadM
+7kbf8uq+ykvsRzctaDnxQaB5+zJxBQYJjBelxQfIkNek0XGfdj3sRwISeFznbllq
+mOLTIBaFiuEtHtusO7MKKavMgS5CQJOvuuvd/l3NY1MnxC6X/1SWig9KIKDIn/hv
+q8dsnq7LLx+tO6Cv4Dub7EbC2ZP3xXGOC4Ie02z8bTZnbX7iwyPUidQQqtU9ra15
+rxzFcZnBxu+yyMNJVsV2qVV/r9OycgKxWlEELC1wYrK9fKfvLdA5aEGjDeU1Z+s6
+JS2zKr0t4F2bMrCsjYP1lQD8sHkCVjwJk+IJU/slcwSajDjBNlMH0yBxGYE1ETIZ
+qMF7/PAkLe8V78pdYmXw9pcaPyhI+ihPLnNrdhX8AI2RX5jDK7IuUNJeUM04UrVB
+8N+mMwgamcuCPWNNyXaL0bz21fexZOuhHmU+B8Yn3SFX5O5b/r9gGvrjo8ei8jOk
+EUlBT3ViDhHNrI7PTaiI
+=djPm
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-15:25/ntp-101.patch.asc
==============================================================================
Binary file. No diff available.

Added: head/share/security/patches/SA-15:25/ntp-101.patch.bz2
==============================================================================
Binary file. No diff available.

Added: head/share/security/patches/SA-15:25/ntp-102.patch.asc
==============================================================================
Binary file. No diff available.

Added: head/share/security/patches/SA-15:25/ntp-102.patch.bz2
==============================================================================
Binary file. No diff available.

Added: head/share/security/patches/SA-15:25/ntp-93.patch.asc
==============================================================================
Binary file. No diff available.

Added: head/share/security/patches/SA-15:25/ntp-93.patch.bz2
==============================================================================
Binary file. No diff available.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201510261204.t9QC47PR053895>