168 lines
6.6 KiB
Text
168 lines
6.6 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-20:09.ntp Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Multiple denial of service in ntpd
|
|
|
|
Category: contrib
|
|
Module: ntp
|
|
Announced: 2020-03-19
|
|
Credits: Philippe Antoine and Miroslav Lichvar
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2020-03-04 23:54:13 UTC (stable/12, 12.1-STABLE)
|
|
2020-03-19 16:52:41 UTC (releng/12.1, 12.1-RELEASE-p3)
|
|
2020-03-05 00:18:09 UTC (stable/11, 11.3-STABLE)
|
|
2020-03-19 16:52:41 UTC (releng/11.3, 11.3-RELEASE-p7)
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The ntpd(8) daemon is an implementation of the Network Time Protocol
|
|
(NTP) used to synchronize the time of a computer system to a reference
|
|
time source.
|
|
|
|
II. Problem Description
|
|
|
|
Three NTP vulnerabilities are addressed by this security advisory.
|
|
|
|
NTP Bug 3610: Process_control() should exit earlier on short packets.
|
|
On systems that override the default and enable ntpdc (mode 7), fuzz testing
|
|
detected a short packet will cause ntpd to read uninitialized data.
|
|
|
|
NTP Bug 3596: Due to highly predictable transmit timestamps, an
|
|
unauthenticated, unmonitored ntpd is vulnerable to attack over IPv4. A victim
|
|
ntpd configured to receive time from an unauthenticated time source is
|
|
vulnerable to an off-path attacker with permission to query the victim. The
|
|
attacker must send from a spoofed IPv4 address of an upstream NTP server and
|
|
the victim must process a large number of packets with that spoofed IPv4
|
|
address. After eight or more successful attacks in a row, the attacker can
|
|
either modify the victim's clock by a small amount or cause ntpd to
|
|
terminate. The attack is especially effective when unusually short poll
|
|
intervals have been configured.
|
|
|
|
NTP Bug 3592: The fix for https://bugs.ntp.org/3445 introduced a bug such
|
|
that an ntpd can be prevented from initiating a time volley to its peer
|
|
resulting in a DoS.
|
|
|
|
III. Impact
|
|
|
|
All three NTP bugs may result in DoS or terimation of the ntp daemon.
|
|
|
|
IV. Workaround
|
|
|
|
Systems not using ntpd(8) are not vulnerable.
|
|
|
|
Systems running ntpd should make the following changes:
|
|
- - Disable mode 7
|
|
- - Use many trustworthy sources of time
|
|
- - Use NTP packet authentication
|
|
- - Monitor ntpd for error messages indicating attack
|
|
- - If only unauthenticated time over IPv4 is available, use the restrict
|
|
configuration directive
|
|
|
|
V. Solution
|
|
|
|
Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
Perform one of the following:
|
|
|
|
1) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
2) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 12.1-STABLE]
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.patch.asc
|
|
# gpg --verify ntp.12.patch.asc
|
|
|
|
[FreeBSD 12.1-RELEASE]
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.1.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.1.patch.asc
|
|
# gpg --verify ntp.12.1.patch.asc
|
|
|
|
[FreeBSD 11.3-STABLE]
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.patch.asc
|
|
# gpg --verify ntp.11.patch.asc
|
|
|
|
[FreeBSD 11.3-RELEASE]
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.3.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.3.patch.asc
|
|
# gpg --verify ntp.11.3.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
Restart the applicable daemons, or reboot the system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/12/ r358659
|
|
releng/12.1/ r359144
|
|
stable/11/ r358660
|
|
releng/11.3/ r359144
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:http://support.ntp.org/bin/view/Main/SecurityNotice#March_2020_ntp_4_2_8p14_NTP_Rele>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:09.ntp.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cIoaA//V8fG/ugFkS6ASluls3rsww0gxoVH65HM7SDiPC814cl8ck2DUSMO7lzA
|
|
jPAmsLPdrhGrJ7lTndUxuZ5hf0YeI/CgccTWYoPgiZjfXoeHS2ydQVVpM9j2ByNo
|
|
KgwqEnRxLaIRBg3+zf7sT/IenC+ivHbPDxrmW4y7ehUQO/fZ3AcXjcAw6PPCzGlp
|
|
pN8Jml04uUuD/Nb92IzWGKvLPsL27slWAHG6nPPw0onzqaZqNhFf1UUDK9qvZRNB
|
|
2pHO+aJPfRq2kUk2DvfcB4kTGB1jbHJBBRNA1ns2xrtdKKIBnwSBatN/SBznhPuF
|
|
nxGN/Y0k8EYJdVOHaoyqSlG31jatAd/TaA9+1JauxB7/29c65JHyAfddtZKY64vl
|
|
DVnfDus+fcxg9D5FI7/O9qUeMZ/S1Ix683BzUPYhCDksC+VP28mqCHMBYRdKrc1m
|
|
ysnnER8Tli+Zbenn88202+lJAaAI3gKygdzKRQg5FgXWqWi84G1WPs+c8dihpovV
|
|
ZG5AqS1gJuwlP72x/g8by7BT140PZIEYaR5Qm7uIlfNTQxNBDmDkCF54wrhAFQWY
|
|
XZrOLiOsVJdn6mX9WfPh7kxd59nAjGuy5fKwWF22g5vQsGCGoBHsqZTKPiA+WxVu
|
|
Ngqq+8zUMkcTXP7NE3aT+4HDTXi/WRwiEKTGd8zGm5J8bEHXi9I=
|
|
=Q4Yq
|
|
-----END PGP SIGNATURE-----
|