Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 7 Mar 2018 09:40:32 -0500
From:      "Philip M. Gollucci" <pgollucci@p6m7g8.com>
To:        freebsd-security@freebsd.org
Cc:        FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-18:02.ntp
Message-ID:  <CACM2dAbhK7u8Rk0Ax9i_pSxZ_gk3CZO-7yeT1iGvVd5ukQQvKQ@mail.gmail.com>
In-Reply-To: <20180307071008.BB2B6447F@freefall.freebsd.org>
References:  <20180307071008.BB2B6447F@freefall.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
The links are 404ing

On Wed, Mar 7, 2018 at 2:10 AM, FreeBSD Security Advisories <
security-advisories@freebsd.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> ============================================================
> =================
> FreeBSD-SA-18:02.ntp                                        Security
> Advisory
>                                                           The FreeBSD
> Project
>
> Topic:          Multiple vulnerabilities of ntp
>
> Category:       contrib
> Module:         ntp
> Announced:      2018-03-07
> Credits:        Network Time Foundation
> Affects:        All supported versions of FreeBSD.
> Corrected:      2018-02-28 09:01:03 UTC (stable/11, 11.1-STABLE)
>                 2018-03-07 05:58:24 UTC (releng/11.1, 11.1-RELEASE-p7)
>                 2018-03-01 04:06:49 UTC (stable/10, 10.4-STABLE)
>                 2018-03-07 05:58:24 UTC (releng/10.4, 10.4-RELEASE-p6)
>                 2018-03-07 05:58:24 UTC (releng/10.3, 10.3-RELEASE-p27)
> CVE Name:       CVE-2018-7182, CVE-2018-7170, CVE-2018-7184, CVE-2018-7185,
>                 CVE-2018-7183
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:https://security.FreeBSD.org/>.
>
> I.   Background
>
> The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
> used to synchronize the time of a computer system to a reference time
> source.
>
> II.  Problem Description
>
> The ctl_getitem() function is used by ntpd(8) to process incoming "mode 6"
> packets.  A malicious "mode 6" packet can be sent to an ntpd instance, and
> if the ntpd instance is from 4.2.8p6 through 4.2.8p10, ctl_getitem() will
> read past the end of its buffer. [CVE-2018-7182]
>
> The ntpd(8) service can be vulnerable to Sybil attacks.  If a system is
> configured to use a trustedkey and if one is not using the feature
> introduced
> in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to
> specify
> which IPs can serve time, a malicious authenticated peer, i.e., one where
> the
> attacker knows the private symmetric key, can create arbitrarily-many
> ephemeral associations in order to win the clock selection of ntpd and
> modify
> a victim's clock. [CVE-2018-7170]
>
> The fix for NtpBug2952 was incomplete, and while it fixed one problem it
> created another.  Specifically, it drops bad packets before updating the
> "received" timestamp.  This means a third-party can inject a packet with
> a zero-origin timestamp, meaning the sender wants to reset the association,
> and the transmit timestamp in this bogus packet will be saved as the most
> recent "received" timestamp.  The real remote peer does not know this
> value and this will disrupt the association until the association resets.
> [CVE-2018-7184]
>
> The NTP Protocol allows for both non-authenticated and authenticated
> associations, in client/server, symmetric (peer), and several broadcast
> modes.  In addition to the basic NTP operational modes, symmetric mode and
> broadcast servers can support an interleaved mode of operation.  In
> ntp-4.2.8p4, a bug was inadvertently introduced into the protocol engine
> that
> allows a non-authenticated zero-origin (reset) packet to reset an
> authenticated interleaved peer association.  If an attacker can send a
> packet
> with a zero-origin timestamp and the source IP address of the "other side"
> of
> an interleaved association, the 'victim' ntpd will reset its association.
> The attacker must continue sending these packets in order to maintain the
> disruption of the association.  [CVE-2018-7185]
>
> The ntpq(8) utility is a monitoring and control program for ntpd.  The
> internal decodearr() function of ntpq(8) that is used to decode an array in
> a response string when formatted data is being displayed.  This is a
> problem
> in affected versions of ntpq if a maliciously-altered ntpd returns an array
> result that will trip this bug, or if a bad actor is able to read an
> ntpq(8)
> request on its way to a remote ntpd server and forge and send a response
> before the remote ntpd sends its response.  It is potentially possible that
> the malicious data could become injectable/executable code. [CVE-2017-7183]
>
> III. Impact
>
> Malicious remote attackers may be able to break time synchornization,
> or cause the ntpq(8) utility to crash.
>
> IV.  Workaround
>
> No workaround is available, but systems not running ntpd(8) or ntpq(8) are
> not affected.  Network administrators are advised to implement BCP-38 which
> helps to reduce risk associated with the attacks.
>
> V.   Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
>
> The ntpd service has to be restarted after the update.  A reboot is
> recommended but not required.
>
> 2) To update your vulnerable system via a binary patch:
>
> Systems running a RELEASE version of FreeBSD on the i386 or amd64
> platforms can be updated via the freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install
>
> The ntpd service has to be restarted after the update.  A reboot is
> recommended but not required.
>
> 3) To update your vulnerable system via a source code patch:
>
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> [FreeBSD 11.1]
> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch
> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch.asc
> # gpg --verify ntp-11.1.patch.asc
>
> [FreeBSD 10.4]
> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch
> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch.asc
> # gpg --verify ntp-10.4.patch.asc
>
> [FreeBSD 10.3]
> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch
> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch.asc
> # gpg --verify ntp-10.3.patch.asc
>
> b) Apply the patch.  Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile the operating system using buildworld and installworld as
> described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
>
> Restart the applicable daemons, or reboot the system.
>
> VI.  Correction details
>
> The following list contains the correction revision numbers for each
> affected branch.
>
> Branch/path                                                      Revision
> - ------------------------------------------------------------
> -------------
> stable/10/                                                        r330141
> releng/10.3/                                                      r330567
> releng/10.4/                                                      r330567
> stable/11/                                                        r330106
> releng/11.1/                                                      r330567
> - ------------------------------------------------------------
> -------------
>
> To see which files were modified by a particular revision, run the
> following command, replacing NNNNNN with the revision number, on a
> machine with Subversion installed:
>
> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
>
> Or visit the following URL, replacing NNNNNN with the revision number:
>
> <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>;
>
> VII. References
>
> <URL:http://support.ntp.org/bin/view/Main/SecurityNotice#
> February_2018_ntp_4_2_8p11_NTP_S>
>
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7182>;
>
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170>;
>
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7184>;
>
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7185>;
>
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7183>;
>
> The latest revision of this advisory is available at
> <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:02.ntp.asc>;
> -----BEGIN PGP SIGNATURE-----
>
> iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhYNfFIAAAAAALgAo
> aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
> MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
> 5cL9GQ/+PLffyegsvxKngL83XWG9UuHbcGG5aWbNwCecTEzNoCI72TI03aga0ge5
> iLz5kW3SQvl8tsq778U4YbfFcCw6ifq2ws8asqNviv+u4AcJh7oD8CS3/kFuA9xM
> zjAIrScdNR2taBJhBW3nwlb7RmDeKqydQ3OIxHVvs9Fj5Alc5ZEGezUjC2dueB+M
> UdORg6GvHGMYQ+4AtBFRgZHAU3BFkwmgqsIICywYnUVH+AxKj34shs/pMMeJd/d9
> a+BIu/tUjAIlQp23VunNAfq7r2eZik9LOV8Y5l1Ww7+K1IwlwezxI+Iw18BMFEVn
> L9baBY9RFh8v/yrZCBqUc7Prhs3ExU/lnAb05Va7TYeD4RXVmSU0jNXi/przN3y2
> PR7Z3JCm60mFKyp0/Hz2MmS1XPBVBrW4P6g9hH8TZmOHb2mZlK3zDXmil7HKp5DK
> UhtMJpPEWV9k5rfP8iijHJnwkPr0ALntMUAAKUyw/6isVtHT6BZLaYsZvRYIm8YY
> Mn2RUl74m+XoIhQ8R4mxRcaAHwKKXyeyP5nlAs6TQVb9QJukoRiNDr3g8TwbtT54
> iTswVu+z/a89/YIwJoc6Ud7eCZSDYe6qfuC19TVuledayjjy/ZPMH0ZkNWFWJ3AE
> VAvdyvoUuNbmsv42o4AUtpE/1CmDqOjwBRZZbtV4CONCDFpk26o=
> =D2ov
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security-notifications@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
> To unsubscribe, send any mail to "freebsd-security-
> notifications-unsubscribe@freebsd.org"
>



-- 
---------------------------------------------------------------------------------
4096R/D21D2752
<http://pgp.mit.edu/pks/lookup?op=get&search=0xF699A450D21D2752>; ECDF B597
B54B 7F92 753E  E0EA F699 A450 D21D 2752
Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354
Member,                           Apache Software Foundation
Committer,                        FreeBSD Foundation
Consultant,                       P6M7G8 Inc.
Director Cloud Technology,        Capital One

What doesn't kill us can only make us stronger;
Except it almost kills you.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACM2dAbhK7u8Rk0Ax9i_pSxZ_gk3CZO-7yeT1iGvVd5ukQQvKQ>