From owner-freebsd-security@freebsd.org Wed Mar 7 14:41:15 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D4CB4F32393 for ; Wed, 7 Mar 2018 14:41:14 +0000 (UTC) (envelope-from pgollucci@p6m7g8.com) Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 411CD7752C for ; Wed, 7 Mar 2018 14:41:14 +0000 (UTC) (envelope-from pgollucci@p6m7g8.com) Received: by mail-wm0-x22b.google.com with SMTP id 188so5166073wme.1 for ; Wed, 07 Mar 2018 06:41:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=p6m7g8-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=VIcvfvYPHkyJ3e2NUIYP2z37d+kQHVIOxfdfDM6Yc1o=; b=jcT/CaHcOdgq6ij8gpA81m8vG0/xAcoKbmUv2HVMBAaxQZpdNDK43b2K1WQ1yMCfGW ssZeJKOd5wTzlm0rPio5YP6exPsLNOgeKEdrPuJv+8lZvdPsY4F2VUXamX3TeiyGmK4W O8nF2ABE2hFVQ+JXpJ2UQI5oqzlhSI2+H3MazZCkqu2jsIbHvJKHNQ3Ut1pbfhiAtCyS yLiYXwVIk20dZREy0MYgMTDJXvdW7CP9S2V9dI0kRMHgLnUBIX6Q4PKAAEHqKbeu/BTe ryr+gFeP2NKiCELEqRtzHPFXa/V0UOX7UVLm+LKREQbQkJMDbGgcFMPhN0zECPH9mbFM 43kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=VIcvfvYPHkyJ3e2NUIYP2z37d+kQHVIOxfdfDM6Yc1o=; b=WDIUmP1h/PyFXjq5dkHV/X8wk59jAwTGGVRxXSAo7ko86+3IkYsKWDioFHs6GcLJFa x9H2dynLNtQ5dxr3RVhFluTwhmvE6qi9VFq3eNWp36Ddof4T+95+3IRaWMUaWz4d3Axf i8/OxTBg/9Y23LY/DRILA173WgAgKx2vHAb3415SeHw8K3kN+DfxLpssXyKxgMlB2Q1D U/AmpZG6vIMupAVZttKoChqgaer/vLDXDfpHR6oEQ/m5yuioH2YbAAo3uwuRAaflhW9i Zl6yHkCqTNPbeg/OAv1SGGsByR663vLrDr5tHJIn26TIFW3YWP5XtlfTAfbePprSuF8G WEuA== X-Gm-Message-State: APf1xPDi3vth2aGw0XSdf7h80aoDCNmHaUCBjwcnJoqBXBhr0G88KoMs +ViBoouTRoFNVX3EWf/RmmetTnliBRrzq82ve+7R3Q== X-Google-Smtp-Source: AG47ELtQSSaAT4PpybjitbjM1ToXA6MvsywWVYaK+k64/pStuuSf3NflY8kZLJLIkoLg7ZSFkqV+nfkjQlja51ZDMik= X-Received: by 10.80.181.228 with SMTP id a91mr27398929ede.138.1520433672877; Wed, 07 Mar 2018 06:41:12 -0800 (PST) MIME-Version: 1.0 Received: by 10.80.178.197 with HTTP; Wed, 7 Mar 2018 06:40:32 -0800 (PST) X-Originating-IP: [108.48.199.86] In-Reply-To: <20180307071008.BB2B6447F@freefall.freebsd.org> References: <20180307071008.BB2B6447F@freefall.freebsd.org> From: "Philip M. Gollucci" Date: Wed, 7 Mar 2018 09:40:32 -0500 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-18:02.ntp To: freebsd-security@freebsd.org Cc: FreeBSD Security Advisories Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 14:41:15 -0000 The links are 404ing On Wed, Mar 7, 2018 at 2:10 AM, FreeBSD Security Advisories < security-advisories@freebsd.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================ > ================= > FreeBSD-SA-18:02.ntp Security > Advisory > The FreeBSD > Project > > Topic: Multiple vulnerabilities of ntp > > Category: contrib > Module: ntp > Announced: 2018-03-07 > Credits: Network Time Foundation > Affects: All supported versions of FreeBSD. > Corrected: 2018-02-28 09:01:03 UTC (stable/11, 11.1-STABLE) > 2018-03-07 05:58:24 UTC (releng/11.1, 11.1-RELEASE-p7) > 2018-03-01 04:06:49 UTC (stable/10, 10.4-STABLE) > 2018-03-07 05:58:24 UTC (releng/10.4, 10.4-RELEASE-p6) > 2018-03-07 05:58:24 UTC (releng/10.3, 10.3-RELEASE-p27) > CVE Name: CVE-2018-7182, CVE-2018-7170, CVE-2018-7184, CVE-2018-7185, > CVE-2018-7183 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) > used to synchronize the time of a computer system to a reference time > source. > > II. Problem Description > > The ctl_getitem() function is used by ntpd(8) to process incoming "mode 6" > packets. A malicious "mode 6" packet can be sent to an ntpd instance, and > if the ntpd instance is from 4.2.8p6 through 4.2.8p10, ctl_getitem() will > read past the end of its buffer. [CVE-2018-7182] > > The ntpd(8) service can be vulnerable to Sybil attacks. If a system is > configured to use a trustedkey and if one is not using the feature > introduced > in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to > specify > which IPs can serve time, a malicious authenticated peer, i.e., one where > the > attacker knows the private symmetric key, can create arbitrarily-many > ephemeral associations in order to win the clock selection of ntpd and > modify > a victim's clock. [CVE-2018-7170] > > The fix for NtpBug2952 was incomplete, and while it fixed one problem it > created another. Specifically, it drops bad packets before updating the > "received" timestamp. This means a third-party can inject a packet with > a zero-origin timestamp, meaning the sender wants to reset the association, > and the transmit timestamp in this bogus packet will be saved as the most > recent "received" timestamp. The real remote peer does not know this > value and this will disrupt the association until the association resets. > [CVE-2018-7184] > > The NTP Protocol allows for both non-authenticated and authenticated > associations, in client/server, symmetric (peer), and several broadcast > modes. In addition to the basic NTP operational modes, symmetric mode and > broadcast servers can support an interleaved mode of operation. In > ntp-4.2.8p4, a bug was inadvertently introduced into the protocol engine > that > allows a non-authenticated zero-origin (reset) packet to reset an > authenticated interleaved peer association. If an attacker can send a > packet > with a zero-origin timestamp and the source IP address of the "other side" > of > an interleaved association, the 'victim' ntpd will reset its association. > The attacker must continue sending these packets in order to maintain the > disruption of the association. [CVE-2018-7185] > > The ntpq(8) utility is a monitoring and control program for ntpd. The > internal decodearr() function of ntpq(8) that is used to decode an array in > a response string when formatted data is being displayed. This is a > problem > in affected versions of ntpq if a maliciously-altered ntpd returns an array > result that will trip this bug, or if a bad actor is able to read an > ntpq(8) > request on its way to a remote ntpd server and forge and send a response > before the remote ntpd sends its response. It is potentially possible that > the malicious data could become injectable/executable code. [CVE-2017-7183] > > III. Impact > > Malicious remote attackers may be able to break time synchornization, > or cause the ntpq(8) utility to crash. > > IV. Workaround > > No workaround is available, but systems not running ntpd(8) or ntpq(8) are > not affected. Network administrators are advised to implement BCP-38 which > helps to reduce risk associated with the attacks. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > The ntpd service has to be restarted after the update. A reboot is > recommended but not required. > > 2) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > The ntpd service has to be restarted after the update. A reboot is > recommended but not required. > > 3) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 11.1] > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch.asc > # gpg --verify ntp-11.1.patch.asc > > [FreeBSD 10.4] > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch.asc > # gpg --verify ntp-10.4.patch.asc > > [FreeBSD 10.3] > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch.asc > # gpg --verify ntp-10.3.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile the operating system using buildworld and installworld as > described in . > > Restart the applicable daemons, or reboot the system. > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > - ------------------------------------------------------------ > ------------- > stable/10/ r330141 > releng/10.3/ r330567 > releng/10.4/ r330567 > stable/11/ r330106 > releng/11.1/ r330567 > - ------------------------------------------------------------ > ------------- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > > > VII. References > > February_2018_ntp_4_2_8p11_NTP_S> > > > > > > > > > > > > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- > > iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhYNfFIAAAAAALgAo > aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD > MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n > 5cL9GQ/+PLffyegsvxKngL83XWG9UuHbcGG5aWbNwCecTEzNoCI72TI03aga0ge5 > iLz5kW3SQvl8tsq778U4YbfFcCw6ifq2ws8asqNviv+u4AcJh7oD8CS3/kFuA9xM > zjAIrScdNR2taBJhBW3nwlb7RmDeKqydQ3OIxHVvs9Fj5Alc5ZEGezUjC2dueB+M > UdORg6GvHGMYQ+4AtBFRgZHAU3BFkwmgqsIICywYnUVH+AxKj34shs/pMMeJd/d9 > a+BIu/tUjAIlQp23VunNAfq7r2eZik9LOV8Y5l1Ww7+K1IwlwezxI+Iw18BMFEVn > L9baBY9RFh8v/yrZCBqUc7Prhs3ExU/lnAb05Va7TYeD4RXVmSU0jNXi/przN3y2 > PR7Z3JCm60mFKyp0/Hz2MmS1XPBVBrW4P6g9hH8TZmOHb2mZlK3zDXmil7HKp5DK > UhtMJpPEWV9k5rfP8iijHJnwkPr0ALntMUAAKUyw/6isVtHT6BZLaYsZvRYIm8YY > Mn2RUl74m+XoIhQ8R4mxRcaAHwKKXyeyP5nlAs6TQVb9QJukoRiNDr3g8TwbtT54 > iTswVu+z/a89/YIwJoc6Ud7eCZSDYe6qfuC19TVuledayjjy/ZPMH0ZkNWFWJ3AE > VAvdyvoUuNbmsv42o4AUtpE/1CmDqOjwBRZZbtV4CONCDFpk26o= > =D2ov > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to "freebsd-security- > notifications-unsubscribe@freebsd.org" > -- --------------------------------------------------------------------------------- 4096R/D21D2752 ECDF B597 B54B 7F92 753E E0EA F699 A450 D21D 2752 Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 Member, Apache Software Foundation Committer, FreeBSD Foundation Consultant, P6M7G8 Inc. Director Cloud Technology, Capital One What doesn't kill us can only make us stronger; Except it almost kills you.