Updated ntp packages fix security vulnerability
Publication date: 29 Jan 2016Modification date: 29 Jan 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-7974 , CVE-2015-7977 , CVE-2015-7978 , CVE-2015-7979 , CVE-2015-8138 , CVE-2015-8158
Description
In ntpd before 4.2.8p6, when used with symmetric key encryption, the
client would accept packets encrypted with keys for any configured server,
allowing a server to impersonate other servers to clients, thus performing
a man-in-the-middle attack. A server can be attacked by a client in a
similar manner (CVE-2015-7974).
A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc
reslist' commands that queried restriction lists with a large amount of
entries. A remote attacker could use this flaw to crash the ntpd process
(CVE-2015-7977).
A stack-based buffer overflow was found in the way ntpd processed 'ntpdc
reslist' commands that queried restriction lists with a large amount of
entries. A remote attacker could use this flaw to crash the ntpd process
(CVE-2015-7978).
It was found that when NTP is configured in broadcast mode, an off-path
attacker could broadcast packets with bad authentication (wrong key,
mismatched key, incorrect MAC, etc) to all clients. The clients, upon
receiving the malformed packets, would break the association with the
broadcast server. This could cause the time on affected clients to become
out of sync over a longer period of time (CVE-2015-7979).
A faulty protection against spoofing and replay attacks allows an attacker
to disrupt synchronization with kiss-of-death packets, take full control
of the clock, or cause ntpd to crash (CVE-2015-8138).
A flaw was found in the way the ntpq client certain processed incoming
packets in a loop in the getresponse() function. A remote attacker could
potentially use this flaw to crash an ntpq client instance
(CVE-2015-8158).
The ntp package has been patched to fix these issues and a few other bugs.
Note that there are still some unfixed issues. Two of those issues,
CVE-2015-8139 and CVE-2015-8140, are vulnerabilities to spoofing and
replay attacks that can be mitigated by either adding the noquery option
to all restrict entries in ntp.conf, configuring ntpd to get time from
multiple sources, or using a restriction list to limit who is allowed to
issue ntpq and ntpdc queries.
Additionally, the other unfixed issues can also be mitigated.
CVE-2015-7973, a replay attack issue, can be mitigated by not using
broadcast mode, and CVE-2015-7976, a bug that can cause globbing issues
on the server, can be mitigated by restricting use of the "saveconfig"
command with the "restrict nomodify" directive.
References
- https://bugs.mageia.org/show_bug.cgi?id=17606
- https://github.com/ntp-project/ntp/commit/71a962710bfe066f76da9679cf4cfdeffe34e95e
- http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
- http://www.talosintel.com/reports/TALOS-2016-0071/
- http://www.talosintel.com/reports/TALOS-2016-0074/
- http://www.talosintel.com/reports/TALOS-2016-0075/
- http://www.talosintel.com/reports/TALOS-2016-0076/
- http://www.talosintel.com/reports/TALOS-2016-0077/
- http://www.talosintel.com/reports/TALOS-2016-0080/
- https://bugzilla.redhat.com/show_bug.cgi?id=1297471
- https://bugzilla.redhat.com/show_bug.cgi?id=1299442
- https://bugzilla.redhat.com/show_bug.cgi?id=1300269
- https://bugzilla.redhat.com/show_bug.cgi?id=1300270
- https://bugzilla.redhat.com/show_bug.cgi?id=1300271
- https://bugzilla.redhat.com/show_bug.cgi?id=1300273
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158
SRPMS
5/core
- ntp-4.2.6p5-24.4.mga5