239 lines
9.7 KiB
Text
239 lines
9.7 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-16:39.ntp Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Multiple vulnerabilities of ntp
|
|
|
|
Category: contrib
|
|
Module: ntp
|
|
Announced: 2016-12-22
|
|
Credits: Network Time Foundation
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2016-11-22 16:22:51 UTC (stable/11, 11.0-STABLE)
|
|
2016-12-22 16:19:05 UTC (releng/11.0, 11.0-RELEASE-p6)
|
|
2016-11-22 16:23:20 UTC (stable/10, 10.3-STABLE)
|
|
2016-12-22 16:19:05 UTC (releng/10.3, 10.3-RELEASE-p15)
|
|
2016-12-22 16:19:05 UTC (releng/10.2, 10.2-RELEASE-p28)
|
|
2016-12-22 16:19:05 UTC (releng/10.1, 10.1-RELEASE-p45)
|
|
2016-11-22 16:23:46 UTC (stable/9, 9.3-STABLE)
|
|
2016-12-22 16:19:05 UTC (releng/9.3, 9.3-RELEASE-p53)
|
|
CVE Name: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7431,
|
|
CVE-2016-7433, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
|
|
used to synchronize the time of a computer system to a reference time
|
|
source.
|
|
|
|
Trap is a mechanism to collect NTP daemon information from remote.
|
|
|
|
II. Problem Description
|
|
|
|
Multiple vulnerabilities have been discovered in the NTP suite:
|
|
|
|
CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy of Cisco ASIG.
|
|
|
|
CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS
|
|
vector. Reported by Matthew Van Gundy of Cisco ASIG.
|
|
|
|
CVE-2016-7427: Broadcast Mode Replay Prevention DoS. Reported by
|
|
Matthew Van Gundy of Cisco ASIG.
|
|
|
|
CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS. Reported by
|
|
Matthew Van Gundy of Cisco ASIG.
|
|
|
|
CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass.
|
|
Reported by Sharon Goldberg and Aanchal Malhotra of Boston University.
|
|
|
|
CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal().
|
|
Reported by Magnus Stubman.
|
|
|
|
CVE-2016-7426: Client rate limiting and server responses. Reported by
|
|
Miroslav Lichvar of Red Hat.
|
|
|
|
CVE-2016-7433: Reboot sync calculation problem. Reported independently
|
|
by Brian Utterback of Oracle, and by Sharon Goldberg and Aanchal Malhotra
|
|
of Boston University.
|
|
|
|
III. Impact
|
|
|
|
A remote attacker who can send a specially crafted packet to cause a
|
|
NULL pointer dereference that will crash ntpd, resulting in a Denial of
|
|
Service. [CVE-2016-9311]
|
|
|
|
An exploitable configuration modification vulnerability exists in the
|
|
control mode (mode 6) functionality of ntpd. If, against long-standing
|
|
BCP recommendations, "restrict default noquery ..." is not specified,
|
|
a specially crafted control mode packet can set ntpd traps, providing
|
|
information disclosure and DDoS amplification, and unset ntpd traps,
|
|
disabling legitimate monitoring by an attacker from remote. [CVE-2016-9310]
|
|
|
|
An attacker with access to the NTP broadcast domain can periodically
|
|
inject specially crafted broadcast mode NTP packets into the broadcast
|
|
domain which, while being logged by ntpd, can cause ntpd to reject
|
|
broadcast mode packets from legitimate NTP broadcast servers.
|
|
[CVE-2016-7427]
|
|
|
|
An attacker with access to the NTP broadcast domain can send specially
|
|
crafted broadcast mode NTP packets to the broadcast domain which, while
|
|
being logged by ntpd, will cause ntpd to reject broadcast mode packets
|
|
from legitimate NTP broadcast servers. [CVE-2016-7428]
|
|
|
|
Origin timestamp problems were fixed in ntp 4.2.8p6. However, subsequent
|
|
timestamp validation checks introduced a regression in the handling of
|
|
some Zero origin timestamp checks. [CVE-2016-7431]
|
|
|
|
If ntpd is configured to allow mrulist query requests from a server
|
|
that sends a crafted malicious packet, ntpd will crash on receipt of
|
|
that crafted malicious mrulist query packet. [CVE-2016-7434]
|
|
|
|
An attacker who knows the sources (e.g., from an IPv4 refid in server
|
|
response) and knows the system is (mis)configured in this way can
|
|
periodically send packets with spoofed source address to keep the rate
|
|
limiting activated and prevent ntpd from accepting valid responses
|
|
from its sources. [CVE-2016-7426]
|
|
|
|
Ntp Bug 2085 described a condition where the root delay was included
|
|
twice, causing the jitter value to be higher than expected. Due to
|
|
a misinterpretation of a small-print variable in The Book, the fix
|
|
for this problem was incorrect, resulting in a root distance that did
|
|
not include the peer dispersion. The calculations and formulas have
|
|
been reviewed and reconciled, and the code has been updated accordingly.
|
|
[CVE-2016-7433]
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available, but systems not running ntpd(8) are not
|
|
affected. Network administrators are advised to implement BCP-38,
|
|
which helps to reduce the risk associated with these attacks.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
The ntpd service has to be restarted after the update. A reboot is
|
|
recommended but not required.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
The ntpd service has to be restarted after the update. A reboot is
|
|
recommended but not required.
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 11.0]
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-11.0.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-11.0.patch.asc
|
|
# gpg --verify ntp-11.0.patch.asc
|
|
|
|
[FreeBSD 10.x]
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-10.x.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-10.x.patch.asc
|
|
# gpg --verify ntp-10.x.patch.asc
|
|
|
|
[FreeBSD 9.3]
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-9.3.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-9.3.patch.asc
|
|
# gpg --verify ntp-9.3.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
Restart the applicable daemons, or reboot the system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/9/ r309009
|
|
releng/9.3/ r310419
|
|
stable/10/ r309008
|
|
releng/10.1/ r310419
|
|
releng/10.2/ r310419
|
|
releng/10.3/ r310419
|
|
stable/11/ r309007
|
|
releng/11.0/ r310419
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se>
|
|
|
|
<URL:https://www.kb.cert.org/vuls/id/633847>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7426>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7428>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7431>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7433>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7434>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:39.ntp.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v2.1.16 (FreeBSD)
|
|
|
|
iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlhcqO8ACgkQ7Wfs1l3P
|
|
auesmRAAknI729Wvs8x4vWgn2ENXDNFBZUrdzcCHZtmnNRK8zjIhl8PzA47LxPwq
|
|
0+C7TdI6YPrsWqqovATUym/PinnGnZzvBa1tmzSAMUk9qfMLYbPsWB3haPCyIBN0
|
|
lM1eqJ9ir0WA9/msLE5oqJSDSpePo7BETkcP+kvdVLPsL3mJ4DltnqeV/MaAUYhF
|
|
Rru9UtYBnXelNJF14uEtJhATP9ImzdQuux8yJYfXaSebDKFfZVAkOkXqIHq1WdgM
|
|
UPGPDoOSYkOC4zRy/YSA0RaRilW1LNZOEg/8ImfWU87ArVDsaso+2xt71SsHGuG0
|
|
5TKfiN+xJPGNLh3XqXivbo3VcRw96cdzYGYRlcE1oG4mG8YaOPbTC0CI4u8RwJgd
|
|
PLqSsC1W6IgCKgOYJNok4/h1bEnmIMNisAy5gIvZjoR5+7frxEH5WNxbNBDR+jc9
|
|
NEtLp/Jp7Uk24+iYP8fok0IfwIhxCLMXq7NwIxHBAJ/7YeHQsOQ4EtDWbAe6BZQS
|
|
cWskAOJ9SZetOYprcWnm+EvkimKgzY5NGosWgC/1JznaRJv+bjOpLttd9ycAAHHE
|
|
iXS4L89LP4lHx135rU7LROARXIBCBQuG08y2me3CDA/dZbtRnZ9tJFCvVq8phz4y
|
|
Jttnh9zDfV7zjJ0MirQZ8EdIqNG2xGEgbfz9ctkzJVrVXXcjMOM=
|
|
=jR6z
|
|
-----END PGP SIGNATURE-----
|