146 lines
5.6 KiB
Text
146 lines
5.6 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-19:04.ntp Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Authenticated denial of service in ntpd
|
|
|
|
Category: contrib
|
|
Module: ntp
|
|
Announced: 2019-05-14
|
|
Credits: Magnus Stubman
|
|
Affects: All supported versions of FreeBSD
|
|
Corrected: 2019-03-07 13:45:36 UTC (stable/12, 12.0-STABLE)
|
|
2019-05-14 23:02:56 UTC (releng/12.0, 12.0-RELEASE-p4)
|
|
2019-03-07 13:45:36 UTC (stable/11, 11.3-PRERELEASE)
|
|
2019-05-14 23:06:26 UTC (releng/11.2, 11.2-RELEASE-p10)
|
|
CVE Name: CVE-2019-8936
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The ntpd(8) daemon is an implementation of the Network Time Protocol
|
|
(NTP) used to synchronize the time of a computer system to a reference
|
|
time source. The ntpd(8) daemon uses a protocol called mode 6 to both get
|
|
status information from the running ntpd(8) daemon and configure it on the
|
|
fly. This protocol is typically used by the ntpq(8) program, among others.
|
|
|
|
II. Problem Description
|
|
|
|
A crafted malicious authenticated mode 6 packet from a permitted network
|
|
address can trigger a NULL pointer dereference.
|
|
|
|
Note for this attack to work, the sending system must be on an address from
|
|
which the target ntpd(8) accepts mode 6 packets, and must use a private key
|
|
that is specifically listed as being used for mode 6 authorization.
|
|
|
|
III. Impact
|
|
|
|
The ntpd daemon can crash due to the NULL pointer dereference, causing a
|
|
denial of service.
|
|
|
|
IV. Workaround
|
|
|
|
Use 'restrict noquery' in the ntpd configuration to limit addresses that
|
|
can send mode 6 queries.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Afterwards, restart the ntpd service:
|
|
# service ntpd restart
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 12.0]
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch.asc
|
|
# gpg --verify ntp.patch.asc
|
|
|
|
[FreeBSD 11.2-RELEASE/11.3-PRERELEASE]
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch.asc
|
|
# gpg --verify ntp-11.2.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
Restart the ntpd service, or reboot the system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/12/ r344884
|
|
releng/12.0/ r347589
|
|
stable/11/ r344884
|
|
releng/11.2/ r347590
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:http://support.ntp.org/bin/view/Main/SecurityNotice#March_2019_ntp_4_2_8p13_NTP_Rele>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8936>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:04.ntp.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTrdfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cLGtw/8CNAYnLxARrMUK1QeC9sE7EaboYInSOgaunfK2Uw5tJk9b4GwWWjCSE0C
|
|
hSWg4a9xv3pks2ppfEJzRuy0eoYmiU0MYblnAnCwCmE2d3WYlExO7hZJa1iK3uPO
|
|
WvHre5q80kF8TJhS9rbph+6oyLaPun8f9PDIo4Oc2knTppNfrfzbB/HEuzP27KMp
|
|
gCXD/Nk/5tHbXjkIGamWCf9wgYuw/typYRV3W6sWDuPhug2sAvWk1TMo0cMJ4BHL
|
|
wL7Qh00rZ+nHWdk5GKFslga9gNjVPqD2DzRKCQO2bj4o+7ly2d+yk4jUpMKBq2r4
|
|
eQcQQnk9xj60NQ5cHGprOv6xwulBYycugF57iouNAP241cvVf+XZd4b/GthJODgz
|
|
fhP0aquusmtkawida3ZWWIVCjkM5NmHQsY5VTQLvTudtemb3kdmRMy3dFDN7oyXZ
|
|
PqP6JJUqamxNHilxRVytNCZLiSuy1P2MnJamyLZIqcDiT6yvMVBqwuGdQrSTSKyu
|
|
g/sR+vUohuJrP2i3pCCEfGtH5Nfq6GpY6Swxec81wUoqReGVCGmSFSEaas21TFYf
|
|
ZzAEAhywveGegkhqvsGP9A1zrTs6ZTCRzun32MhSo4xH/YZaArMvRa6JiSWTA1fG
|
|
ctwXEwIBj0XNEWBsCPgVvaF9bglmQZ2Iqn4iOiHlRGT7KxgjT7w=
|
|
=o9t5
|
|
-----END PGP SIGNATURE-----
|