From owner-freebsd-security@freebsd.org Wed Mar 7 15:13:15 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B1337F359C3 for ; Wed, 7 Mar 2018 15:13:15 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-pg0-x231.google.com (mail-pg0-x231.google.com [IPv6:2607:f8b0:400e:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3527779DCE for ; Wed, 7 Mar 2018 15:13:15 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-pg0-x231.google.com with SMTP id r26so972045pgv.13 for ; Wed, 07 Mar 2018 07:13:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=1JJECI08jTWJpJPKr6UdW2zVpo1QD1ZcxgdJvqpHiwY=; b=MEBrOK1974VQh0xlyWqfhWgV0duu7DKIYwDjRC65cV44UnxDXcpEJKaEsPhoz2pfnz xLwLhBA/OVh5zVC+GtfloMKBoRJKkG+XZ9tZSbxAsKnFkHSjnVUzRjewP5XheOn6xERF sbQcg04gYexXXpAtI8Yxa68ai1D9QDDTbeyJ0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=1JJECI08jTWJpJPKr6UdW2zVpo1QD1ZcxgdJvqpHiwY=; b=WZJXx/2/m3XMwn1tmM1sb6g+4PKG2Dy9skdIGPmH2svWSdWDIVczVX+QLzuOMc/H2p utm43FFJCZK9v0olSGN7HC6RAAvnClWaV7m7YgcL5MlGZNQFC8b1G+sP1cNjOuyxQ1NA Gjik4Dr3HDlUuKCTnRoUbtq42NeF6huEQM/nxQtB8wYxij3qw5kAk5A2CwTQoBpQM6dR g2nKLeueqPn12aKvwrFx80wFW8GMZe9MyDRKcgrnRV3d/QRzngXJLe7e0DsYsABreU8t rBU3lmTDJlqUcvJr4jb4Ln5SGmCQ83PXQnX4weNKSVmQDDtVI8yl+f1vRtklRpQK4WeF DVOQ== X-Gm-Message-State: APf1xPBgEtvRTBc6nzdzIsA/P6ekGD3sbcYpzepqUKLeiD/mJStDcbuZ //1KKAEmHMqkABFDl21cna7EClJALg== X-Google-Smtp-Source: AG47ELs5aB4XAFdpcRkqM93kKzPZdiaQSrz2vf7tZRNK2heI6yCkk1H7TB6/nudVSXREqCoM61xuqA== X-Received: by 10.99.176.68 with SMTP id z4mr17967764pgo.74.1520435593457; Wed, 07 Mar 2018 07:13:13 -0800 (PST) Received: from [10.0.1.136] (cpe-75-80-118-20.san.res.rr.com. [75.80.118.20]) by smtp.gmail.com with ESMTPSA id 76sm37670456pfp.53.2018.03.07.07.13.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Mar 2018 07:13:12 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-18:02.ntp From: Gordon Tetlow X-Mailer: iPhone Mail (15D100) In-Reply-To: Date: Wed, 7 Mar 2018 07:13:11 -0800 Cc: freebsd-security@freebsd.org, FreeBSD Security Advisories Content-Transfer-Encoding: quoted-printable Message-Id: <519359A9-A123-478C-A57D-51A1D8F528CA@tetlows.org> References: <20180307071008.BB2B6447F@freefall.freebsd.org> To: "Philip M. Gollucci" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 15:13:16 -0000 Sorry about that. I thought I had everything but I missed that piece. They s= hould be coming shortly. That said, I=E2=80=99m seeing reports of the ipsec patches for 10.x not comp= iling. Will look into that shortly.=20 Gordon > On Mar 7, 2018, at 06:40, Philip M. Gollucci wrote:= >=20 > The links are 404ing >=20 > On Wed, Mar 7, 2018 at 2:10 AM, FreeBSD Security Advisories < > security-advisories@freebsd.org> wrote: >=20 >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >>=20 >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> FreeBSD-SA-18:02.ntp Security >> Advisory >> The FreeBSD >> Project >>=20 >> Topic: Multiple vulnerabilities of ntp >>=20 >> Category: contrib >> Module: ntp >> Announced: 2018-03-07 >> Credits: Network Time Foundation >> Affects: All supported versions of FreeBSD. >> Corrected: 2018-02-28 09:01:03 UTC (stable/11, 11.1-STABLE) >> 2018-03-07 05:58:24 UTC (releng/11.1, 11.1-RELEASE-p7) >> 2018-03-01 04:06:49 UTC (stable/10, 10.4-STABLE) >> 2018-03-07 05:58:24 UTC (releng/10.4, 10.4-RELEASE-p6) >> 2018-03-07 05:58:24 UTC (releng/10.3, 10.3-RELEASE-p27) >> CVE Name: CVE-2018-7182, CVE-2018-7170, CVE-2018-7184, CVE-2018-718= 5, >> CVE-2018-7183 >>=20 >> For general information regarding FreeBSD Security Advisories, >> including descriptions of the fields above, security branches, and the >> following sections, please visit . >>=20 >> I. Background >>=20 >> The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP= ) >> used to synchronize the time of a computer system to a reference time >> source. >>=20 >> II. Problem Description >>=20 >> The ctl_getitem() function is used by ntpd(8) to process incoming "mode 6= " >> packets. A malicious "mode 6" packet can be sent to an ntpd instance, an= d >> if the ntpd instance is from 4.2.8p6 through 4.2.8p10, ctl_getitem() will= >> read past the end of its buffer. [CVE-2018-7182] >>=20 >> The ntpd(8) service can be vulnerable to Sybil attacks. If a system is >> configured to use a trustedkey and if one is not using the feature >> introduced >> in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to >> specify >> which IPs can serve time, a malicious authenticated peer, i.e., one where= >> the >> attacker knows the private symmetric key, can create arbitrarily-many >> ephemeral associations in order to win the clock selection of ntpd and >> modify >> a victim's clock. [CVE-2018-7170] >>=20 >> The fix for NtpBug2952 was incomplete, and while it fixed one problem it >> created another. Specifically, it drops bad packets before updating the >> "received" timestamp. This means a third-party can inject a packet with >> a zero-origin timestamp, meaning the sender wants to reset the associatio= n, >> and the transmit timestamp in this bogus packet will be saved as the most= >> recent "received" timestamp. The real remote peer does not know this >> value and this will disrupt the association until the association resets.= >> [CVE-2018-7184] >>=20 >> The NTP Protocol allows for both non-authenticated and authenticated >> associations, in client/server, symmetric (peer), and several broadcast >> modes. In addition to the basic NTP operational modes, symmetric mode an= d >> broadcast servers can support an interleaved mode of operation. In >> ntp-4.2.8p4, a bug was inadvertently introduced into the protocol engine >> that >> allows a non-authenticated zero-origin (reset) packet to reset an >> authenticated interleaved peer association. If an attacker can send a >> packet >> with a zero-origin timestamp and the source IP address of the "other side= " >> of >> an interleaved association, the 'victim' ntpd will reset its association.= >> The attacker must continue sending these packets in order to maintain the= >> disruption of the association. [CVE-2018-7185] >>=20 >> The ntpq(8) utility is a monitoring and control program for ntpd. The >> internal decodearr() function of ntpq(8) that is used to decode an array i= n >> a response string when formatted data is being displayed. This is a >> problem >> in affected versions of ntpq if a maliciously-altered ntpd returns an arr= ay >> result that will trip this bug, or if a bad actor is able to read an >> ntpq(8) >> request on its way to a remote ntpd server and forge and send a response >> before the remote ntpd sends its response. It is potentially possible th= at >> the malicious data could become injectable/executable code. [CVE-2017-718= 3] >>=20 >> III. Impact >>=20 >> Malicious remote attackers may be able to break time synchornization, >> or cause the ntpq(8) utility to crash. >>=20 >> IV. Workaround >>=20 >> No workaround is available, but systems not running ntpd(8) or ntpq(8) ar= e >> not affected. Network administrators are advised to implement BCP-38 whi= ch >> helps to reduce risk associated with the attacks. >>=20 >> V. Solution >>=20 >> Perform one of the following: >>=20 >> 1) Upgrade your vulnerable system to a supported FreeBSD stable or >> release / security branch (releng) dated after the correction date. >>=20 >> The ntpd service has to be restarted after the update. A reboot is >> recommended but not required. >>=20 >> 2) To update your vulnerable system via a binary patch: >>=20 >> Systems running a RELEASE version of FreeBSD on the i386 or amd64 >> platforms can be updated via the freebsd-update(8) utility: >>=20 >> # freebsd-update fetch >> # freebsd-update install >>=20 >> The ntpd service has to be restarted after the update. A reboot is >> recommended but not required. >>=20 >> 3) To update your vulnerable system via a source code patch: >>=20 >> The following patches have been verified to apply to the applicable >> FreeBSD release branches. >>=20 >> a) Download the relevant patch from the location below, and verify the >> detached PGP signature using your PGP utility. >>=20 >> [FreeBSD 11.1] >> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch >> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch.asc >> # gpg --verify ntp-11.1.patch.asc >>=20 >> [FreeBSD 10.4] >> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch >> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch.asc >> # gpg --verify ntp-10.4.patch.asc >>=20 >> [FreeBSD 10.3] >> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch >> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch.asc >> # gpg --verify ntp-10.3.patch.asc >>=20 >> b) Apply the patch. Execute the following commands as root: >>=20 >> # cd /usr/src >> # patch < /path/to/patch >>=20 >> c) Recompile the operating system using buildworld and installworld as >> described in . >>=20 >> Restart the applicable daemons, or reboot the system. >>=20 >> VI. Correction details >>=20 >> The following list contains the correction revision numbers for each >> affected branch. >>=20 >> Branch/path Revision= >> - ------------------------------------------------------------ >> ------------- >> stable/10/ r330141= >> releng/10.3/ r330567= >> releng/10.4/ r330567= >> stable/11/ r330106= >> releng/11.1/ r330567= >> - ------------------------------------------------------------ >> ------------- >>=20 >> To see which files were modified by a particular revision, run the >> following command, replacing NNNNNN with the revision number, on a >> machine with Subversion installed: >>=20 >> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >>=20 >> Or visit the following URL, replacing NNNNNN with the revision number: >>=20 >> >>=20 >> VII. References >>=20 >> > February_2018_ntp_4_2_8p11_NTP_S> >>=20 >> >>=20 >> >>=20 >> >>=20 >> >>=20 >> >>=20 >> The latest revision of this advisory is available at >> >> -----BEGIN PGP SIGNATURE----- >>=20 >> iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhYNfFIAAAAAALgAo >> aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD >> MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n >> 5cL9GQ/+PLffyegsvxKngL83XWG9UuHbcGG5aWbNwCecTEzNoCI72TI03aga0ge5 >> iLz5kW3SQvl8tsq778U4YbfFcCw6ifq2ws8asqNviv+u4AcJh7oD8CS3/kFuA9xM >> zjAIrScdNR2taBJhBW3nwlb7RmDeKqydQ3OIxHVvs9Fj5Alc5ZEGezUjC2dueB+M >> UdORg6GvHGMYQ+4AtBFRgZHAU3BFkwmgqsIICywYnUVH+AxKj34shs/pMMeJd/d9 >> a+BIu/tUjAIlQp23VunNAfq7r2eZik9LOV8Y5l1Ww7+K1IwlwezxI+Iw18BMFEVn >> L9baBY9RFh8v/yrZCBqUc7Prhs3ExU/lnAb05Va7TYeD4RXVmSU0jNXi/przN3y2 >> PR7Z3JCm60mFKyp0/Hz2MmS1XPBVBrW4P6g9hH8TZmOHb2mZlK3zDXmil7HKp5DK >> UhtMJpPEWV9k5rfP8iijHJnwkPr0ALntMUAAKUyw/6isVtHT6BZLaYsZvRYIm8YY >> Mn2RUl74m+XoIhQ8R4mxRcaAHwKKXyeyP5nlAs6TQVb9QJukoRiNDr3g8TwbtT54 >> iTswVu+z/a89/YIwJoc6Ud7eCZSDYe6qfuC19TVuledayjjy/ZPMH0ZkNWFWJ3AE >> VAvdyvoUuNbmsv42o4AUtpE/1CmDqOjwBRZZbtV4CONCDFpk26o=3D >> =3DD2ov >> -----END PGP SIGNATURE----- >> _______________________________________________ >> freebsd-security-notifications@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications= >> To unsubscribe, send any mail to "freebsd-security- >> notifications-unsubscribe@freebsd.org" >>=20 >=20 >=20 >=20 > --=20 > --------------------------------------------------------------------------= ------- > 4096R/D21D2752 > ECDF B= 597 > B54B 7F92 753E E0EA F699 A450 D21D 2752 > Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 > Member, Apache Software Foundation > Committer, FreeBSD Foundation > Consultant, P6M7G8 Inc. > Director Cloud Technology, Capital One >=20 > What doesn't kill us can only make us stronger; > Except it almost kills you. > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org= "