From owner-freebsd-security@FreeBSD.ORG Wed Dec 24 01:03:54 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4F687D99 for ; Wed, 24 Dec 2014 01:03:54 +0000 (UTC) Received: from mail-ig0-x22f.google.com (mail-ig0-x22f.google.com [IPv6:2607:f8b0:4001:c05::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1129B39B1 for ; Wed, 24 Dec 2014 01:03:54 +0000 (UTC) Received: by mail-ig0-f175.google.com with SMTP id h15so6288566igd.8 for ; Tue, 23 Dec 2014 17:03:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=/ng04XFSJCPhAnOvzUuBpwfeQmbyexaO9tPrm3je/dk=; b=DWbjj9vGaLV1Cw7qfnCSoQ+u63iPTfRHe+6508K0MvHuzxBr8pUgCa2CPDdSz8/+Wg xIDoc5zvzzU2YNFKO8tebCv3rf6kNx1XXZOQ7y7N3TpID9fpZSbGSIMixrKcobwxbQJV zSOeObDaUUKjONnCROtSTGyQnCtisisT6prLL9m41vd7lT3dS7x7N2qbkgs7HodoXZiS 1Knj9fw8l6ycDXurhxbkxhjOinBnGmyYcaO9HoRiNC6VZoOCMv9lW17BJal8HfGeBNQm ea7hwVxv6COGj6WKr7g3ov1jmCa0LhX3D54MVa2nFubIrBIdCM3XcyCxhzHKvbMZmmXt f2Xw== MIME-Version: 1.0 X-Received: by 10.50.134.195 with SMTP id pm3mr24144179igb.0.1419383033272; Tue, 23 Dec 2014 17:03:53 -0800 (PST) Sender: kob6558@gmail.com Received: by 10.107.52.19 with HTTP; Tue, 23 Dec 2014 17:03:53 -0800 (PST) Received: by 10.107.52.19 with HTTP; Tue, 23 Dec 2014 17:03:53 -0800 (PST) In-Reply-To: <20141223233310.0165A4BB5@nine.des.no> References: <20141223233310.0165A4BB5@nine.des.no> Date: Tue, 23 Dec 2014 17:03:53 -0800 X-Google-Sender-Auth: XVq8lStGLXD4TO4Vh_liinV5mxc Message-ID: Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:31.ntp From: Kevin Oberman To: freebsd-security@freebsd.org X-Mailman-Approved-At: Wed, 24 Dec 2014 02:48:38 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2014 01:03:54 -0000 What month is 2014-14-22? I assume tgat you meant 2014-12-22. On Dec 23, 2014 3:35 PM, "FreeBSD Security Advisories" < security-advisories@freebsd.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > > ============================================================================= > FreeBSD-SA-14:31.ntp Security > Advisory > The FreeBSD > Project > > Topic: Multiple vulnerabilities in NTP suite > > Category: contrib > Module: ntp > Announced: 2014-12-23 > Affects: All supported versions of FreeBSD. > Corrected: 2014-14-22 19:07:16 UTC (stable/10, 10.1-STABLE) > 2014-12-23 22:56:01 UTC (releng/10.1, 10.1-RELEASE-p3) > 2014-12-23 22:55:14 UTC (releng/10.0, 10.0-RELEASE-p15) > 2014-14-22 19:08:09 UTC (stable/9, 9.3-STABLE) > 2014-12-23 22:54:25 UTC (releng/9.3, 9.3-RELEASE-p7) > 2014-12-23 22:53:44 UTC (releng/9.2, 9.2-RELEASE-p17) > 2014-12-23 22:53:03 UTC (releng/9.1, 9.1-RELEASE-p24) > 2014-14-22 19:08:09 UTC (stable/8, 8.4-STABLE) > 2014-12-23 22:52:22 UTC (releng/8.4, 8.4-RELEASE-p21) > CVE Name: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) > used to synchronize the time of a computer system to a reference time > source. > > II. Problem Description > > When no authentication key is set in the configuration file, ntpd(8) > would generate a random key that uses a non-linear additive feedback random > number generator seeded with very few bits of entropy. [CVE-2014-9293] > The ntp-keygen(8) utility is also affected by a similar issue. > [CVE-2014-9294] > > When Autokey Authentication is enabled, for example if ntp.conf(5) contains > a 'crypto pw' directive, a remote attacker can send a carefully > crafted packet that can overflow a stack buffer. [CVE-2014-9295] > > In ntp_proto.c, the receive() function is missing a return statement in > the case when an error is detected. [CVE-2014-9296] > > III. Impact > > The NTP protocol uses keys to implement authentication. The weak > seeding of the pseudo-random number generator makes it easier for an > attacker to brute-force keys, and thus may broadcast incorrect time stamps > or masquerade as another time server. [CVE-2014-9293, CVE-2014-9294] > > An attacker may be able to utilize the buffer overflow to crash the ntpd(8) > daemon or potentially run arbitrary code with the privileges of the ntpd(8) > process, which is typically root. [CVE-2014-9295] > > IV. Workaround > > No workaround is available, but systems not running ntpd(8) are not > affected. Because the issue may lead to remote root compromise, the > FreeBSD Security Team recommends system administrators to firewall NTP > ports, namely tcp/123 and udp/123 when it is not clear that all systems > have been patched or have ntpd(8) stopped. > > V. Solution > > NOTE WELL: It is advisable to regenerate all keys used for NTP > authentication, if configured. > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > 2) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > 3) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch > # fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch.asc > # gpg --verify ntp.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile the operating system using buildworld and installworld as > described in . > > Restart the ntpd(8) daemons, or reboot the system. > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > - ------------------------------------------------------------------------- > stable/8/ r276073 > releng/8.4/ r276154 > stable/9/ r276073 > releng/9.1/ r276155 > releng/9.2/ r276156 > releng/9.3/ r276157 > stable/10/ r276072 > releng/10.0/ r276158 > releng/10.1/ r276159 > - ------------------------------------------------------------------------- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > > > VII. References > > > > > > > > > > > > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJUmfSAAAoJEO1n7NZdz2rnV/IQAMeAuVbyKDMu3mec0ErpL5z8 > OcSxVxKWH9udDJQkpiw6OaU4ks7PGOH/PgAad0mIhWPflXtpUlWMQtUa54Ds4s/t > NjknM2vS4sBMZLk0Poqsts0TohfwdxF+CT8OCZARA2i3t70Ov0Y9BeoCatL2rnS+ > rPbhhlnQXrsAJDCKcjSrYw+37cDNEdcvk4UKhiKh76J6CXwn2cT6h1dXTMFyImWq > slTNlkJV6iFMNYn3oSA8nCVEJVMw2XQwVfg2qzkpZcuDGKE5fFpdvX3VcRP7b2cq > zwSClt29B7FF3EjrplRuEdgxDk8m9PjVbUz9tocLPIqV0RjhTA9j7MhNcWH5G3Dh > u6NQDsA0WzE8Ki2mrWpTEAFp21ZzSyXXtZ703XYiXbQKNG9lKEFv5Z8ffVHSrUT7 > uB2BsP+LrnnWNNdjkRSSSxrfy4CvFLsdQ9FI1FNz+oofEio6yPO+W47pBH//Nbj0 > wfeReW1OlbrtWF6NHZr4CfX+Lx9hu4CXXdXRWKdMDTYUywr0V6BiIsrNlN1z7XCy > 90+43twFhGBsOSVD5PpcDmt9oEYfpwWKdXO6dXClCo+mxAki/fgf5Y24cTT9DTQn > CKuVZuyaMi+HZ0jf2sKITQ03S8+Nrn7cZEXkIGScfT5z1Y8pcN+7bRhB1DpaCs0q > IIw6TjJXQm8DTMuBIwf3 > =oSCq > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org > " >