Add SA-16:39.

svn path=/head/; revision=49757

share/security/advisories/FreeBSD-SA-16:39.ntp.asc

@@ -0,0 +1,239 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-16:39.ntp                                        Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Multiple vulnerabilities of ntp
+
+Category:       contrib
+Module:         ntp
+Announced:      XXXX-XX-XX
+Credits:        Network Time Foundation
+Affects:        All supported versions of FreeBSD.
+Corrected:      2016-11-22 16:22:51 UTC (stable/11, 11.0-STABLE)
+                2016-12-22 16:19:05 UTC (releng/11.0, 11.0-RELEASE-p6)
+                2016-11-22 16:23:20 UTC (stable/10, 10.3-STABLE)
+                2016-12-22 16:19:05 UTC (releng/10.3, 10.3-RELEASE-p15)
+                2016-12-22 16:19:05 UTC (releng/10.2, 10.2-RELEASE-p28)
+                2016-12-22 16:19:05 UTC (releng/10.1, 10.1-RELEASE-p45)
+                2016-11-22 16:23:46 UTC (stable/9, 9.3-STABLE)
+                2016-12-22 16:19:05 UTC (releng/9.3, 9.3-RELEASE-p53)
+CVE Name:       CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7431,
+                CVE-2016-7433, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
+used to synchronize the time of a computer system to a reference time
+source.
+
+Trap is a mechanism to collect NTP daemon information from remote.
+
+II.  Problem Description
+
+Multiple vulnerabilities have been discovered in the NTP suite:
+
+CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy of Cisco ASIG.
+
+CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS
+vector. Reported by Matthew Van Gundy of Cisco ASIG.
+
+CVE-2016-7427: Broadcast Mode Replay Prevention DoS. Reported by
+Matthew Van Gundy of Cisco ASIG.
+
+CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS. Reported by
+Matthew Van Gundy of Cisco ASIG.
+
+CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass.
+Reported by Sharon Goldberg and Aanchal Malhotra of Boston University.
+
+CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal().
+Reported by Magnus Stubman.
+
+CVE-2016-7426: Client rate limiting and server responses. Reported by
+Miroslav Lichvar of Red Hat.
+
+CVE-2016-7433: Reboot sync calculation problem. Reported independently
+by Brian Utterback of Oracle, and by Sharon Goldberg and Aanchal Malhotra
+of Boston University.
+
+III. Impact
+
+A remote attacker who can send a specially crafted packet to cause a
+NULL pointer dereference that will crash ntpd, resulting in a Denial of
+Service. [CVE-2016-9311]
+
+An exploitable configuration modification vulnerability exists in the
+control mode (mode 6) functionality of ntpd. If, against long-standing
+BCP recommendations, "restrict default noquery ..." is not specified,
+a specially crafted control mode packet can set ntpd traps, providing
+information disclosure and DDoS amplification, and unset ntpd traps,
+disabling legitimate monitoring by an attacker from remote. [CVE-2016-9310]
+
+An attacker with access to the NTP broadcast domain can periodically
+inject specially crafted broadcast mode NTP packets into the broadcast
+domain which, while being logged by ntpd, can cause ntpd to reject
+broadcast mode packets from legitimate NTP broadcast servers.
+[CVE-2016-7427]
+
+An attacker with access to the NTP broadcast domain can send specially
+crafted broadcast mode NTP packets to the broadcast domain which, while
+being logged by ntpd, will cause ntpd to reject broadcast mode packets
+from legitimate NTP broadcast servers. [CVE-2016-7428]
+
+Origin timestamp problems were fixed in ntp 4.2.8p6. However, subsequent
+timestamp validation checks introduced a regression in the handling of
+some Zero origin timestamp checks. [CVE-2016-7431]
+
+If ntpd is configured to allow mrulist query requests from a server
+that sends a crafted malicious packet, ntpd will crash on receipt of
+that crafted malicious mrulist query packet. [CVE-2016-7434]
+
+An attacker who knows the sources (e.g., from an IPv4 refid in server
+response) and knows the system is (mis)configured in this way can
+periodically send packets with spoofed source address to keep the rate
+limiting activated and prevent ntpd from accepting valid responses
+from its sources. [CVE-2016-7426]
+
+Ntp Bug 2085 described a condition where the root delay was included
+twice, causing the jitter value to be higher than expected.  Due to
+a misinterpretation of a small-print variable in The Book, the fix
+for this problem was incorrect, resulting in a root distance that did
+not include the peer dispersion. The calculations and formulas have
+been reviewed and reconciled, and the code has been updated accordingly.
+[CVE-2016-7433]
+
+IV.  Workaround
+
+No workaround is available, but systems not running ntpd(8) are not
+affected.  Network administrators are advised to implement BCP-38,
+which helps to reduce the risk associated with these attacks.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+The ntpd service has to be restarted after the update.  A reboot is
+recommended but not required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+The ntpd service has to be restarted after the update.  A reboot is
+recommended but not required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.0]
+# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-11.0.patch
+# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-11.0.patch.asc
+# gpg --verify ntp-11.0.patch.asc
+
+[FreeBSD 10.x]
+# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-10.x.patch
+# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-10.x.patch.asc
+# gpg --verify ntp-10.x.patch.asc
+
+[FreeBSD 9.3]
+# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-9.3.patch
+# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-9.3.patch.asc
+# gpg --verify ntp-9.3.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r309009
+releng/9.3/                                                       r310419
+stable/10/                                                        r309008
+releng/10.1/                                                      r310419
+releng/10.2/                                                      r310419
+releng/10.3/                                                      r310419
+stable/11/                                                        r309007
+releng/11.0/                                                      r310419
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se>
+
+<URL:https://www.kb.cert.org/vuls/id/633847>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7426>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7428>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7431>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7433>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7434>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:39.ntp.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.16 (FreeBSD)
+
+iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlhb/kAACgkQ7Wfs1l3P
+audQRhAA02Xpoz4mSF1Cz1gCgWAKpTNpB2fG5z8Pqv1q8BqdArr+ZH/G1g2L4E/b
+Id/g8WUvpZLozTeuWMx/6dm/XCbI+OhbzasZp46Cak3o2LMB6v3OC43qVX8fQiiO
+9GgCltR6I8V939MVFKxo+cdflqIwmguKdLJHvnin8mv8MAjXOG7rrAx+FqcQjJ5i
+oATuFLj/A9kWDiRH4TAQr/rVRmJGmIQY2GpEMt7oB/1ho5HFGhIdNZLCuriIcAGZ
+HpZJoNKmDHV3mOfM+C03e4otBaoX6asid2TiY5lnDMx4j+a+Gxdv5tWnt72Bn0X/
+EC5HWYjm7QFDg/hfrymBfT7cObuVKtdEJikkRw3huBy6RN6d4zsaTJFMIODl6sNs
+zBE5+vrwcXiUrbic10RoVzeSEFdVh7C6Ji1OK/rsxXAbgs0zkoHua/nxO2fhdyHr
+m3Mb59QE7TiM1zaMjks1QZXORo53CrGHrhE6Qi7sISO0SS4mWCOkulOZeNjXQ3xK
+GFox3YV0WDZz4m7VjZQS6/pj+dO4sABVQ0mahydJJX35FVkdJuknv/98yxmYRuHG
+jP9NTUEh6dGDT3w/57hGg7VIgTR47q3e6UbutrqNoxiV5Br465mb9LxMjngDW7bA
+poe9XHFMCmFV96gYN2va2cENUM/PjWI8mHWjZShG5DCXMVnK64A=
+=PDXk
+-----END PGP SIGNATURE-----

share/security/patches/SA-16:39/ntp-10.x.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.16 (FreeBSD)
+
+iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlhb/kYACgkQ7Wfs1l3P
+audsjhAAgqfY6Tka1jCQ2nP/PqH+uysOTWh1AM8vuFCMkabQbYDkGfKgdv89f7AC
+OE7ocMX0dc/Vvu+bUUwyeI/hZoTNlK8OQZw/2nZ0OoS0doAx2IMjUZzCBQ7aunxH
+37fxwngn68SHykTtwaumCElX35JKFgU0ziUNGMa89M319SWNGYG3h8+HIYlK5YgZ
+5XYgrYbzX7o22QqJhe4B7iu8tpcj+efCbk8fGaKNNJ2sg53ErXhCOMImVN8NyOjm
+N7OQtOZLmL6Zo6zbGesIhUTKEWQLFOGrd5mzoKY6nRf5ecu76PHTgf9s1pseilzx
+5EMXj/Gf5ltW1Kun9kdqmsmTHIiJ6gbNySaxrz0vHwsRzuClmcH1zfKSzKYVaNRE
+r9tWmT6NNxM3XIAJY822O/SdXs89y+2J8RJRdsb49uyf+lVl0J8IkHSpNSV+oBh+
+wyYhk2b+UssPhcJi5uvoZJF5o3VOxEsM2in5cl+5Rmdw5IDvSIsENlAT0KXFJYmy
+dpu+p7T2hwf/nDk+f2LjtjuzBXbMeKvYZNBmHOsMXx6Myijbct9R47xp7SexGo6T
+UFPA7rZnoiuSiVWjE9h3y0zPRtiCDJnrEvocplxKhA4lxSN/1WNZsfSUdk2RuNEC
+1WuXVg9MaTi1urqIl6B8x+Pl1vJkD712jg0pV51n9LGTn8S+upY=
+=Ef1H
+-----END PGP SIGNATURE-----

share/security/patches/SA-16:39/ntp-11.0.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.16 (FreeBSD)
+
+iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlhb/kcACgkQ7Wfs1l3P
+aufy1xAA0RuOBVAQaSGwZ6gGxcuPjqf3oHkK+IEn+FeWY3k677SLAU6PugU8J4/w
+3i+QU8VrPXMqvUZdWlXPZVdCctlacbrHqxZ3kiCiyWXs9KaOR66Kej9jCjW/hAfg
+xd7HWILH7smPo3ujCXKmLEuiR7gbXYGXWQZa4C0Je4ayxPBT1vxfF8npf/66IdwQ
+1B6qJ4e8sQMpOBAeufIMxc2WvXsDFitclJG5rLrWoLYGvLy8pC09/2dAzGKuiPyW
+VVWIETr/Mu2xEt08nCY8HZLQjv6FGn4ZRc2IzYfk6rMZ9abB5hEAAw8Lg4aFI4FL
+LiTjajWdq86vJWzDS/lfL/p266jSiBW9qYCH/yZj493a5KLPXHWmL8QR6Lw443FU
+8K8qlYV2DA/5+hWdEPf78dvb+ZY0fvbpeRR1yO1xmIa1ePrXI40xLoaazGPG/LcT
+yA2mIsS/cvCZdRXfhmA8GRXjw2X9zllkftjFoxIQrpaZlBW339pTDhAe0EWanuaC
+FPZ1P0fr+1ygs0gPXKqV4agYEAD+kzT5BdIhCpH+vRcsUMXk48pw/8en25XaFtck
+lqYAefSrLmCykIkBXlPXYF86Wzh1JilWAFxYUnaRe72DzllweNpZrvgZ3cRxBhQc
+I0Fj3VpI+TCEfYLmu6HValsauITFW7W5AKBy8nnRFXFbV2Xcz9E=
+=TbL5
+-----END PGP SIGNATURE-----

share/security/patches/SA-16:39/ntp-9.3.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.16 (FreeBSD)
+
+iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlhb/kcACgkQ7Wfs1l3P
+aufUrBAAxhI/mLAq+1/lYV1DPND+T7XLKaS3Ad80xog/VIEImkd+mFXLKVDUc4CJ
+5hXcW+CysBVGQWhDCD8yUu0NhfRdWpPSZlXe6/DB/r1tHtyWaxH/IP8M45Oo0VHx
+aYpDA3aH8G3s/J5dY2JuuTX12q5bT+ZnUfElf/fZCjlK8qnutKApVui+t8u6OeSU
+iiKoCycLODfRuRKl9oC4rDAzbFRIH6tmJJJpOy3/MkOuwKON3UdOOWszi9A24D4r
+TGHDlhf2ndEP8SVaX1h1+SrrgxP5W55zHIECCcB3OwywDzKsqAxQYxWP0RIxRnLY
+zwlMBheHg/dkavqeN+EfUvZiuOkP+ZJRgfu5CMEkMdgQ3btcOaVeSfC2jUYhhnTS
+knAUi1VxStaV/VOUNG/R4WEIgNkb9scXyrfiFfPejtezVfxdAN5fY+Je0kFDkQE/
+0SlxIIGQbEGbaF+hDf5ewZ01nEONlbnw5s/Xefp4MfgSZ1Ry4O9R3nlinD62rcup
+IGt2eTV1X7zatb0vBhrRwjCw9MoqLu/ug3CUKureqLYUMMNwe6i5P14T8LuGzSZj
+we6vpIFzogdTvvzutVigNO+nayjJzasUgA6BizN7LdJmzwWpafQvfxHm1YCDJWgA
+VQoVHnJUB31+xx+vgeKUhwuQzDFDfHCQwa+XYiktoLlR4zoxenc=
+=eG5j
+-----END PGP SIGNATURE-----

share/xml/advisories.xml

@@ -10,6 +10,14 @@
     <month>
       <name>12</name>
 
+      <day>
+        <name>22</name>
+
+        <advisory>
+          <name>FreeBSD-SA-16:39.ntp</name>
+        </advisory>
+      </day>
+
       <day>
         <name>6</name>