Add SA-16:39.
This commit is contained in:
parent
3a463f8343
commit
429d04e5da
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=49757
8 changed files with 52019 additions and 0 deletions
239
share/security/advisories/FreeBSD-SA-16:39.ntp.asc
Normal file
239
share/security/advisories/FreeBSD-SA-16:39.ntp.asc
Normal file
|
@ -0,0 +1,239 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-SA-16:39.ntp Security Advisory
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: Multiple vulnerabilities of ntp
|
||||
|
||||
Category: contrib
|
||||
Module: ntp
|
||||
Announced: XXXX-XX-XX
|
||||
Credits: Network Time Foundation
|
||||
Affects: All supported versions of FreeBSD.
|
||||
Corrected: 2016-11-22 16:22:51 UTC (stable/11, 11.0-STABLE)
|
||||
2016-12-22 16:19:05 UTC (releng/11.0, 11.0-RELEASE-p6)
|
||||
2016-11-22 16:23:20 UTC (stable/10, 10.3-STABLE)
|
||||
2016-12-22 16:19:05 UTC (releng/10.3, 10.3-RELEASE-p15)
|
||||
2016-12-22 16:19:05 UTC (releng/10.2, 10.2-RELEASE-p28)
|
||||
2016-12-22 16:19:05 UTC (releng/10.1, 10.1-RELEASE-p45)
|
||||
2016-11-22 16:23:46 UTC (stable/9, 9.3-STABLE)
|
||||
2016-12-22 16:19:05 UTC (releng/9.3, 9.3-RELEASE-p53)
|
||||
CVE Name: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7431,
|
||||
CVE-2016-7433, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311
|
||||
|
||||
For general information regarding FreeBSD Security Advisories,
|
||||
including descriptions of the fields above, security branches, and the
|
||||
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
|
||||
used to synchronize the time of a computer system to a reference time
|
||||
source.
|
||||
|
||||
Trap is a mechanism to collect NTP daemon information from remote.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
Multiple vulnerabilities have been discovered in the NTP suite:
|
||||
|
||||
CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy of Cisco ASIG.
|
||||
|
||||
CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS
|
||||
vector. Reported by Matthew Van Gundy of Cisco ASIG.
|
||||
|
||||
CVE-2016-7427: Broadcast Mode Replay Prevention DoS. Reported by
|
||||
Matthew Van Gundy of Cisco ASIG.
|
||||
|
||||
CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS. Reported by
|
||||
Matthew Van Gundy of Cisco ASIG.
|
||||
|
||||
CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass.
|
||||
Reported by Sharon Goldberg and Aanchal Malhotra of Boston University.
|
||||
|
||||
CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal().
|
||||
Reported by Magnus Stubman.
|
||||
|
||||
CVE-2016-7426: Client rate limiting and server responses. Reported by
|
||||
Miroslav Lichvar of Red Hat.
|
||||
|
||||
CVE-2016-7433: Reboot sync calculation problem. Reported independently
|
||||
by Brian Utterback of Oracle, and by Sharon Goldberg and Aanchal Malhotra
|
||||
of Boston University.
|
||||
|
||||
III. Impact
|
||||
|
||||
A remote attacker who can send a specially crafted packet to cause a
|
||||
NULL pointer dereference that will crash ntpd, resulting in a Denial of
|
||||
Service. [CVE-2016-9311]
|
||||
|
||||
An exploitable configuration modification vulnerability exists in the
|
||||
control mode (mode 6) functionality of ntpd. If, against long-standing
|
||||
BCP recommendations, "restrict default noquery ..." is not specified,
|
||||
a specially crafted control mode packet can set ntpd traps, providing
|
||||
information disclosure and DDoS amplification, and unset ntpd traps,
|
||||
disabling legitimate monitoring by an attacker from remote. [CVE-2016-9310]
|
||||
|
||||
An attacker with access to the NTP broadcast domain can periodically
|
||||
inject specially crafted broadcast mode NTP packets into the broadcast
|
||||
domain which, while being logged by ntpd, can cause ntpd to reject
|
||||
broadcast mode packets from legitimate NTP broadcast servers.
|
||||
[CVE-2016-7427]
|
||||
|
||||
An attacker with access to the NTP broadcast domain can send specially
|
||||
crafted broadcast mode NTP packets to the broadcast domain which, while
|
||||
being logged by ntpd, will cause ntpd to reject broadcast mode packets
|
||||
from legitimate NTP broadcast servers. [CVE-2016-7428]
|
||||
|
||||
Origin timestamp problems were fixed in ntp 4.2.8p6. However, subsequent
|
||||
timestamp validation checks introduced a regression in the handling of
|
||||
some Zero origin timestamp checks. [CVE-2016-7431]
|
||||
|
||||
If ntpd is configured to allow mrulist query requests from a server
|
||||
that sends a crafted malicious packet, ntpd will crash on receipt of
|
||||
that crafted malicious mrulist query packet. [CVE-2016-7434]
|
||||
|
||||
An attacker who knows the sources (e.g., from an IPv4 refid in server
|
||||
response) and knows the system is (mis)configured in this way can
|
||||
periodically send packets with spoofed source address to keep the rate
|
||||
limiting activated and prevent ntpd from accepting valid responses
|
||||
from its sources. [CVE-2016-7426]
|
||||
|
||||
Ntp Bug 2085 described a condition where the root delay was included
|
||||
twice, causing the jitter value to be higher than expected. Due to
|
||||
a misinterpretation of a small-print variable in The Book, the fix
|
||||
for this problem was incorrect, resulting in a root distance that did
|
||||
not include the peer dispersion. The calculations and formulas have
|
||||
been reviewed and reconciled, and the code has been updated accordingly.
|
||||
[CVE-2016-7433]
|
||||
|
||||
IV. Workaround
|
||||
|
||||
No workaround is available, but systems not running ntpd(8) are not
|
||||
affected. Network administrators are advised to implement BCP-38,
|
||||
which helps to reduce the risk associated with these attacks.
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||
release / security branch (releng) dated after the correction date.
|
||||
|
||||
The ntpd service has to be restarted after the update. A reboot is
|
||||
recommended but not required.
|
||||
|
||||
2) To update your vulnerable system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
The ntpd service has to be restarted after the update. A reboot is
|
||||
recommended but not required.
|
||||
|
||||
3) To update your vulnerable system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
[FreeBSD 11.0]
|
||||
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-11.0.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-11.0.patch.asc
|
||||
# gpg --verify ntp-11.0.patch.asc
|
||||
|
||||
[FreeBSD 10.x]
|
||||
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-10.x.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-10.x.patch.asc
|
||||
# gpg --verify ntp-10.x.patch.asc
|
||||
|
||||
[FreeBSD 9.3]
|
||||
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-9.3.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-9.3.patch.asc
|
||||
# gpg --verify ntp-9.3.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile the operating system using buildworld and installworld as
|
||||
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
||||
|
||||
Restart the applicable daemons, or reboot the system.
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the correction revision numbers for each
|
||||
affected branch.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/9/ r309009
|
||||
releng/9.3/ r310419
|
||||
stable/10/ r309008
|
||||
releng/10.1/ r310419
|
||||
releng/10.2/ r310419
|
||||
releng/10.3/ r310419
|
||||
stable/11/ r309007
|
||||
releng/11.0/ r310419
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
<URL:http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se>
|
||||
|
||||
<URL:https://www.kb.cert.org/vuls/id/633847>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7426>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7428>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7431>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7433>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7434>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311>
|
||||
|
||||
The latest revision of this advisory is available at
|
||||
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:39.ntp.asc>
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.16 (FreeBSD)
|
||||
|
||||
iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlhb/kAACgkQ7Wfs1l3P
|
||||
audQRhAA02Xpoz4mSF1Cz1gCgWAKpTNpB2fG5z8Pqv1q8BqdArr+ZH/G1g2L4E/b
|
||||
Id/g8WUvpZLozTeuWMx/6dm/XCbI+OhbzasZp46Cak3o2LMB6v3OC43qVX8fQiiO
|
||||
9GgCltR6I8V939MVFKxo+cdflqIwmguKdLJHvnin8mv8MAjXOG7rrAx+FqcQjJ5i
|
||||
oATuFLj/A9kWDiRH4TAQr/rVRmJGmIQY2GpEMt7oB/1ho5HFGhIdNZLCuriIcAGZ
|
||||
HpZJoNKmDHV3mOfM+C03e4otBaoX6asid2TiY5lnDMx4j+a+Gxdv5tWnt72Bn0X/
|
||||
EC5HWYjm7QFDg/hfrymBfT7cObuVKtdEJikkRw3huBy6RN6d4zsaTJFMIODl6sNs
|
||||
zBE5+vrwcXiUrbic10RoVzeSEFdVh7C6Ji1OK/rsxXAbgs0zkoHua/nxO2fhdyHr
|
||||
m3Mb59QE7TiM1zaMjks1QZXORo53CrGHrhE6Qi7sISO0SS4mWCOkulOZeNjXQ3xK
|
||||
GFox3YV0WDZz4m7VjZQS6/pj+dO4sABVQ0mahydJJX35FVkdJuknv/98yxmYRuHG
|
||||
jP9NTUEh6dGDT3w/57hGg7VIgTR47q3e6UbutrqNoxiV5Br465mb9LxMjngDW7bA
|
||||
poe9XHFMCmFV96gYN2va2cENUM/PjWI8mHWjZShG5DCXMVnK64A=
|
||||
=PDXk
|
||||
-----END PGP SIGNATURE-----
|
17239
share/security/patches/SA-16:39/ntp-10.x.patch
Normal file
17239
share/security/patches/SA-16:39/ntp-10.x.patch
Normal file
File diff suppressed because it is too large
Load diff
17
share/security/patches/SA-16:39/ntp-10.x.patch.asc
Normal file
17
share/security/patches/SA-16:39/ntp-10.x.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.16 (FreeBSD)
|
||||
|
||||
iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlhb/kYACgkQ7Wfs1l3P
|
||||
audsjhAAgqfY6Tka1jCQ2nP/PqH+uysOTWh1AM8vuFCMkabQbYDkGfKgdv89f7AC
|
||||
OE7ocMX0dc/Vvu+bUUwyeI/hZoTNlK8OQZw/2nZ0OoS0doAx2IMjUZzCBQ7aunxH
|
||||
37fxwngn68SHykTtwaumCElX35JKFgU0ziUNGMa89M319SWNGYG3h8+HIYlK5YgZ
|
||||
5XYgrYbzX7o22QqJhe4B7iu8tpcj+efCbk8fGaKNNJ2sg53ErXhCOMImVN8NyOjm
|
||||
N7OQtOZLmL6Zo6zbGesIhUTKEWQLFOGrd5mzoKY6nRf5ecu76PHTgf9s1pseilzx
|
||||
5EMXj/Gf5ltW1Kun9kdqmsmTHIiJ6gbNySaxrz0vHwsRzuClmcH1zfKSzKYVaNRE
|
||||
r9tWmT6NNxM3XIAJY822O/SdXs89y+2J8RJRdsb49uyf+lVl0J8IkHSpNSV+oBh+
|
||||
wyYhk2b+UssPhcJi5uvoZJF5o3VOxEsM2in5cl+5Rmdw5IDvSIsENlAT0KXFJYmy
|
||||
dpu+p7T2hwf/nDk+f2LjtjuzBXbMeKvYZNBmHOsMXx6Myijbct9R47xp7SexGo6T
|
||||
UFPA7rZnoiuSiVWjE9h3y0zPRtiCDJnrEvocplxKhA4lxSN/1WNZsfSUdk2RuNEC
|
||||
1WuXVg9MaTi1urqIl6B8x+Pl1vJkD712jg0pV51n9LGTn8S+upY=
|
||||
=Ef1H
|
||||
-----END PGP SIGNATURE-----
|
17230
share/security/patches/SA-16:39/ntp-11.0.patch
Normal file
17230
share/security/patches/SA-16:39/ntp-11.0.patch
Normal file
File diff suppressed because it is too large
Load diff
17
share/security/patches/SA-16:39/ntp-11.0.patch.asc
Normal file
17
share/security/patches/SA-16:39/ntp-11.0.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.16 (FreeBSD)
|
||||
|
||||
iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlhb/kcACgkQ7Wfs1l3P
|
||||
aufy1xAA0RuOBVAQaSGwZ6gGxcuPjqf3oHkK+IEn+FeWY3k677SLAU6PugU8J4/w
|
||||
3i+QU8VrPXMqvUZdWlXPZVdCctlacbrHqxZ3kiCiyWXs9KaOR66Kej9jCjW/hAfg
|
||||
xd7HWILH7smPo3ujCXKmLEuiR7gbXYGXWQZa4C0Je4ayxPBT1vxfF8npf/66IdwQ
|
||||
1B6qJ4e8sQMpOBAeufIMxc2WvXsDFitclJG5rLrWoLYGvLy8pC09/2dAzGKuiPyW
|
||||
VVWIETr/Mu2xEt08nCY8HZLQjv6FGn4ZRc2IzYfk6rMZ9abB5hEAAw8Lg4aFI4FL
|
||||
LiTjajWdq86vJWzDS/lfL/p266jSiBW9qYCH/yZj493a5KLPXHWmL8QR6Lw443FU
|
||||
8K8qlYV2DA/5+hWdEPf78dvb+ZY0fvbpeRR1yO1xmIa1ePrXI40xLoaazGPG/LcT
|
||||
yA2mIsS/cvCZdRXfhmA8GRXjw2X9zllkftjFoxIQrpaZlBW339pTDhAe0EWanuaC
|
||||
FPZ1P0fr+1ygs0gPXKqV4agYEAD+kzT5BdIhCpH+vRcsUMXk48pw/8en25XaFtck
|
||||
lqYAefSrLmCykIkBXlPXYF86Wzh1JilWAFxYUnaRe72DzllweNpZrvgZ3cRxBhQc
|
||||
I0Fj3VpI+TCEfYLmu6HValsauITFW7W5AKBy8nnRFXFbV2Xcz9E=
|
||||
=TbL5
|
||||
-----END PGP SIGNATURE-----
|
17252
share/security/patches/SA-16:39/ntp-9.3.patch
Normal file
17252
share/security/patches/SA-16:39/ntp-9.3.patch
Normal file
File diff suppressed because it is too large
Load diff
17
share/security/patches/SA-16:39/ntp-9.3.patch.asc
Normal file
17
share/security/patches/SA-16:39/ntp-9.3.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2.1.16 (FreeBSD)
|
||||
|
||||
iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlhb/kcACgkQ7Wfs1l3P
|
||||
aufUrBAAxhI/mLAq+1/lYV1DPND+T7XLKaS3Ad80xog/VIEImkd+mFXLKVDUc4CJ
|
||||
5hXcW+CysBVGQWhDCD8yUu0NhfRdWpPSZlXe6/DB/r1tHtyWaxH/IP8M45Oo0VHx
|
||||
aYpDA3aH8G3s/J5dY2JuuTX12q5bT+ZnUfElf/fZCjlK8qnutKApVui+t8u6OeSU
|
||||
iiKoCycLODfRuRKl9oC4rDAzbFRIH6tmJJJpOy3/MkOuwKON3UdOOWszi9A24D4r
|
||||
TGHDlhf2ndEP8SVaX1h1+SrrgxP5W55zHIECCcB3OwywDzKsqAxQYxWP0RIxRnLY
|
||||
zwlMBheHg/dkavqeN+EfUvZiuOkP+ZJRgfu5CMEkMdgQ3btcOaVeSfC2jUYhhnTS
|
||||
knAUi1VxStaV/VOUNG/R4WEIgNkb9scXyrfiFfPejtezVfxdAN5fY+Je0kFDkQE/
|
||||
0SlxIIGQbEGbaF+hDf5ewZ01nEONlbnw5s/Xefp4MfgSZ1Ry4O9R3nlinD62rcup
|
||||
IGt2eTV1X7zatb0vBhrRwjCw9MoqLu/ug3CUKureqLYUMMNwe6i5P14T8LuGzSZj
|
||||
we6vpIFzogdTvvzutVigNO+nayjJzasUgA6BizN7LdJmzwWpafQvfxHm1YCDJWgA
|
||||
VQoVHnJUB31+xx+vgeKUhwuQzDFDfHCQwa+XYiktoLlR4zoxenc=
|
||||
=eG5j
|
||||
-----END PGP SIGNATURE-----
|
|
@ -10,6 +10,14 @@
|
|||
<month>
|
||||
<name>12</name>
|
||||
|
||||
<day>
|
||||
<name>22</name>
|
||||
|
||||
<advisory>
|
||||
<name>FreeBSD-SA-16:39.ntp</name>
|
||||
</advisory>
|
||||
</day>
|
||||
|
||||
<day>
|
||||
<name>6</name>
|
||||
|
||||
|
|
Loading…
Reference in a new issue