From owner-svn-doc-head@freebsd.org Mon Oct 26 12:04:08 2015 Return-Path: Delivered-To: svn-doc-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 64950A1A875; Mon, 26 Oct 2015 12:04:08 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2BEEC1829; Mon, 26 Oct 2015 12:04:08 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t9QC47HH053896; Mon, 26 Oct 2015 12:04:07 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t9QC47PR053895; Mon, 26 Oct 2015 12:04:07 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201510261204.t9QC47PR053895@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Mon, 26 Oct 2015 12:04:07 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r47672 - in head/share/security: advisories patches/SA-15:25 X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2015 12:04:08 -0000 Author: glebius (src committer) Date: Mon Oct 26 12:04:07 2015 New Revision: 47672 URL: https://svnweb.freebsd.org/changeset/doc/47672 Log: Upgrade NTP to 4.2.8p4. Security: FreeBSD-SA-15:25.ntp Approved by: so Added: head/share/security/advisories/FreeBSD-SA-15:25.ntp.asc (contents, props changed) head/share/security/patches/SA-15:25/ head/share/security/patches/SA-15:25/ntp-101.patch.asc (contents, props changed) head/share/security/patches/SA-15:25/ntp-101.patch.bz2 (contents, props changed) head/share/security/patches/SA-15:25/ntp-102.patch.asc (contents, props changed) head/share/security/patches/SA-15:25/ntp-102.patch.bz2 (contents, props changed) head/share/security/patches/SA-15:25/ntp-93.patch.asc (contents, props changed) head/share/security/patches/SA-15:25/ntp-93.patch.bz2 (contents, props changed) Added: head/share/security/advisories/FreeBSD-SA-15:25.ntp.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-15:25.ntp.asc Mon Oct 26 12:04:07 2015 (r47672) @@ -0,0 +1,285 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-15:25.ntp Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities of ntp + +Category: contrib +Module: ntp +Announced: 2015-10-26 +Credits: Network Time Foundation +Affects: All supported versions of FreeBSD. +Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE) + 2015-10-26 11:36:55 UTC (releng/10.2, 10.2-RELEASE-p6) + 2015-10-26 11:37:31 UTC (releng/10.1, 10.1-RELEASE-p23) + 2015-10-26 11:36:40 UTC (stable/9, 9.3-STABLE) + 2015-10-26 11:42:25 UTC (releng/9.3, 9.3-RELEASE-p29) +CVE Name: CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, + CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, + CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, + CVE-2015-7871 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit https://security.FreeBSD.org/. + +I. Background + +The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) +used to synchronize the time of a computer system to a reference time +source. + +II. Problem Description + +Crypto-NAK packets can be used to cause ntpd(8) to accept time from an +unauthenticated ephemeral symmetric peer by bypassing the authentication +required to mobilize peer associations. [CVE-2015-7871] FreeBSD 9.3 and +10.1 are not affected. + +If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusual +long data value where a network address is expected, the decodenetnum() +function will abort with an assertion failure instead of simply returning +a failure condition. [CVE-2015-7855] + +If ntpd(8) is configured to allow remote configuration, and if the +(possibly spoofed) source IP address is allowed to send remote +configuration requests, and if the attacker knows the remote +configuration password or if ntpd(8) was configured to disable +authentication, then an attacker can send a set of packets to ntpd(8) that +may cause it to crash, with the hypothetical possibility of a small code +injection. [CVE-2015-7854] + +A negative value for the datalen parameter will overflow a data buffer. +NTF's ntpd(8) driver implementations always set this value to 0 and are +therefore not vulnerable to this weakness. If you are running a custom +refclock driver in ntpd(8) and that driver supplies a negative value for +datalen (no custom driver of even minimal competence would do this) +then ntpd would overflow a data buffer. It is even hypothetically +possible in this case that instead of simply crashing ntpd the +attacker could effect a code injection attack. [CVE-2015-7853] + +If an attacker can figure out the precise moment that ntpq(8) is listening +for data and the port number it is listening on or if the attacker can +provide a malicious instance ntpd(8) that victims will connect to then an +attacker can send a set of crafted mode 6 response packets that, if +received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852] + +If ntpd(8) is configured to allow remote configuration, and if the +(possibly spoofed) IP address is allowed to send remote configuration +requests, and if the attacker knows the remote configuration password +or if ntpd(8) was configured to disable authentication, then an attacker +can send a set of packets to ntpd that may cause ntpd(8) to overwrite +files. [CVE-2015-7851]. The default configuration of ntpd(8) within +FreeBSD does not allow remote configuration. + +If ntpd(8) is configured to allow remote configuration, and if the +(possibly spoofed) source IP address is allowed to send remote +configuration requests, and if the attacker knows the remote +configuration password or if ntpd(8) was configured to disable +authentication, then an attacker can send a set of packets to ntpd +that will cause it to crash and/or create a potentially huge log +file. Specifically, the attacker could enable extended logging, +point the key file at the log file, and cause what amounts to an +infinite loop. [CVE-2015-7850]. The default configuration of ntpd(8) +within FreeBSD does not allow remote configuration. + +If ntpd(8) is configured to allow remote configuration, and if the +(possibly spoofed) source IP address is allowed to send remote +configuration requests, and if the attacker knows the remote +configuration password or if ntpd was configured to disable +authentication, then an attacker can send a set of packets to +ntpd that may cause a crash or theoretically perform a code +injection attack. [CVE-2015-7849]. The default configuration of ntpd(8) +within FreeBSD does not allow remote configuration. + +If ntpd(8) is configured to enable mode 7 packets, and if the use +of mode 7 packets is not properly protected thru the use of the +available mode 7 authentication and restriction mechanisms, and +if the (possibly spoofed) source IP address is allowed to send +mode 7 queries, then an attacker can send a crafted packet to +ntpd that will cause it to crash. [CVE-2015-7848]. The default +configuration of ntpd(8) within FreeBSD does not allow mode 7 +packets. + +If ntpd(8) is configured to use autokey, then an attacker can send +packets to ntpd that will, after several days of ongoing attack, +cause it to run out of memory. [CVE-2015-7701]. The default +configuration of ntpd(8) within FreeBSD does not use autokey. + +If ntpd(8) is configured to allow for remote configuration, and if +the (possibly spoofed) source IP address is allowed to send +remote configuration requests, and if the attacker knows the +remote configuration password, it's possible for an attacker +to use the "pidfile" or "driftfile" directives to potentially +overwrite other files. [CVE-2015-5196]. The default configuration +of ntpd(8) within FreeBSD does not allow remote configuration + +An ntpd(8) client that honors Kiss-of-Death responses will honor +KoD messages that have been forged by an attacker, causing it +to delay or stop querying its servers for time updates. Also, +an attacker can forge packets that claim to be from the target +and send them to servers often enough that a server that +implements KoD rate limiting will send the target machine a +KoD response to attempt to reduce the rate of incoming packets, +or it may also trigger a firewall block at the server for +packets from the target machine. For either of these attacks +to succeed, the attacker must know what servers the target +is communicating with. An attacker can be anywhere on the +Internet and can frequently learn the identity of the target's +time source by sending the target a time query. [CVE-2015-7704] + +The fix for CVE-2014-9750 was incomplete in that there were +certain code paths where a packet with particular autokey +operations that contained malicious data was not always being +completely validated. Receipt of these packets can cause ntpd +to crash. [CVE-2015-7702]. The default configuration of ntpd(8) +within FreeBSD does not use autokey. + +III. Impact + +An attacker which can send NTP packets to ntpd(8), which uses cryptographic +authentication of NTP data, may be able to inject malicious time data +causing the system clock to be set incorrectly. [CVE-2015-7871] + +An attacker which can send NTP packets to ntpd(8), can block the +communication of the daemon with time servers, causing the system +clock not being synchronized. [CVE-2015-7704] + +An attacker which can send NTP packets to ntpd(8), can remotely crash +the daemon, sending malicious data packet. [CVE-2015-7855] [CVE-2015-7854] +[CVE-2015-7853] [CVE-2015-7852] [CVE-2015-7849] [CVE-2015-7848] + +An attacker which can send NTP packets to ntpd(8), can remotely +trigger the daemon to overwrite its configuration files. [CVE-2015-7851] +[CVE-2015-5196] + +IV. Workaround + +No workaround is available, but systems not running ntpd(8) are not +affected. Network administrators are advised to implement BCP-38, +which helps to reduce risk associated with the attacks. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +The ntpd service has to be restarted after the update. A reboot is +recommended but not required. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +The ntpd service has to be restarted after the update. A reboot is +recommended but not required. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.2] +# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.bz2 +# bunzip2 ntp-102.patch.bz2 +# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.asc +# gpg --verify ntp-102.patch.asc + +[FreeBSD 10.1] +# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.bz2 +# bunzip2 ntp-101.patch.bz2 +# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.asc +# gpg --verify ntp-101.patch.asc + +[FreeBSD 9.3] +# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.bz2 +# bunzip2 ntp-93.patch.bz2 +# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.asc +# gpg --verify ntp-93.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch +# find contrib/ntp -type f -empty -delete + +c) Recompile the operating system using buildworld and installworld as +described in https://www.FreeBSD.org/handbook/makeworld.html. + +d) For 9.3-RELEASE and 10.1-RELEASE an update to /etc/ntp.conf is recommended, +which can be done with help of the mergemaster(8) tool on 9.3-RELEASE and +with help of the etcupdate(8) tool on 10.1-RELEASE. + +Restart the ntpd(8) daemon, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r289998 +releng/9.3/ r290001 +stable/10/ r289997 +releng/10.1/ r290000 +releng/10.2/ r289999 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN + +VII. References + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871 + +The latest revision of this advisory is available at +https://security.FreeBSD.org/advisories/FreeBSD-SA-15:25.ntp.asc +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAEBAgAGBQJWLhOJAAoJEO1n7NZdz2rn91wP/2GwEt1boNQq2a7nYzv/mS5D +sYKkIi7o+2yr2BLXvtc3O7c9QC3/YeGsza9DTRqndcY572SWvRgtkFstMTTm8IV/ +RVlIE40gVR3tex0zo7BiD7uKUrxWxWcpwMbE5dzlE+vSybyyj0dSSkwUHJjrbJoA +RmyNuEEUhQn5sRCg6qJv/PLp2G7BcYAasKScukjm7QnLP2kq/tvM9mcqwfh2tadM +7kbf8uq+ykvsRzctaDnxQaB5+zJxBQYJjBelxQfIkNek0XGfdj3sRwISeFznbllq +mOLTIBaFiuEtHtusO7MKKavMgS5CQJOvuuvd/l3NY1MnxC6X/1SWig9KIKDIn/hv +q8dsnq7LLx+tO6Cv4Dub7EbC2ZP3xXGOC4Ie02z8bTZnbX7iwyPUidQQqtU9ra15 +rxzFcZnBxu+yyMNJVsV2qVV/r9OycgKxWlEELC1wYrK9fKfvLdA5aEGjDeU1Z+s6 +JS2zKr0t4F2bMrCsjYP1lQD8sHkCVjwJk+IJU/slcwSajDjBNlMH0yBxGYE1ETIZ +qMF7/PAkLe8V78pdYmXw9pcaPyhI+ihPLnNrdhX8AI2RX5jDK7IuUNJeUM04UrVB +8N+mMwgamcuCPWNNyXaL0bz21fexZOuhHmU+B8Yn3SFX5O5b/r9gGvrjo8ei8jOk +EUlBT3ViDhHNrI7PTaiI +=djPm +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-15:25/ntp-101.patch.asc ============================================================================== Binary file. No diff available. Added: head/share/security/patches/SA-15:25/ntp-101.patch.bz2 ============================================================================== Binary file. No diff available. Added: head/share/security/patches/SA-15:25/ntp-102.patch.asc ============================================================================== Binary file. No diff available. Added: head/share/security/patches/SA-15:25/ntp-102.patch.bz2 ============================================================================== Binary file. No diff available. Added: head/share/security/patches/SA-15:25/ntp-93.patch.asc ============================================================================== Binary file. No diff available. Added: head/share/security/patches/SA-15:25/ntp-93.patch.bz2 ============================================================================== Binary file. No diff available.