Bug 14858

Summary: ntp new security issues CVE-2014-929[3-6]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/627312/
Whiteboard: has_procedure advisory MGA4-64-OK mga4-32-ok
Source RPM: ntp-4.2.6p5-15.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-20 01:12:58 CET 
The press has caught wind of security advisories for ntp today (December 19):
http://www.zdnet.com/article/major-ntp-security-holes-appears-and-are-being-exploited/

Fedora committed patches in git 5 hours ago.

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated ntp packages fix security vulnerabilities:

If no authentication key is defined in the ntp.conf file, a
cryptographically-weak default key is generated (CVE-2014-9293).

ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator
with a weak seed to generate symmetric keys (CVE-2014-9294).

A remote unauthenticated attacker may craft special packets that trigger
buffer overflows in the ntpd functions crypto_recv() (when using autokey
authentication), ctl_putdata(), and configure(). The resulting buffer
overflows may be exploited to allow arbitrary malicious code to be executed
with the privilege of the ntpd process (CVE-2014-9295).

A section of code in ntpd handling a rare error is missing a return
statement, therefore processing did not stop when the error was encountered.
This situation may be exploitable by an attacker (CVE-2014-9296).

The ntp package has been patched to fix these issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296
http://support.ntp.org/bin/view/Main/SecurityNotice#Resolved_Vulnerabilities
https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01
http://www.kb.cert.org/vuls/id/852879
https://bugzilla.redhat.com/show_bug.cgi?id=1176032
https://bugzilla.redhat.com/show_bug.cgi?id=1176035
https://bugzilla.redhat.com/show_bug.cgi?id=1176037
https://bugzilla.redhat.com/show_bug.cgi?id=1176040
========================

Updated packages in core/updates_testing:
========================
ntp-4.2.6p5-15.2.mga4
ntp-client-4.2.6p5-15.2.mga4
ntp-doc-4.2.6p5-15.2.mga4

from ntp-4.2.6p5-15.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 olivier charles 2014-12-20 13:14:16 CET 
Testing on Mageia 4x64 real hardware

From current packages :
---------------------

ntp-4.2.6p5-15.mga4
ntp-client-4.2.6p5-15.mga4

# systemctl status -l ntpd
ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
   Active: active (running)

# ls -lsha /etc/ntp/*
4,0K -rw-r----- 1 root ntp  73 janv. 23  2014 /etc/ntp/keys
   0 -rw-r--r-- 1 root root  0 nov.  15 17:32 /etc/ntp/step-tickers

To updated testing packages :
---------------------------
ntp-4.2.6p5-15.2.mga4
ntp-client-4.2.6p5-15.2.mga4
ntp-doc-4.2.6p5-15.2.mga4

# systemctl restart ntpd
# systemctl status -l ntpd
ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
   Active: active (running) since sam. 2014-12-20 13:04:13 CET; 7s ago

# ls -lsha /etc/ntp/*
4,0K -rw-r----- 1 root ntp  73 déc.  20 01:11 /etc/ntp/keys
   0 -rw-r--r-- 1 root root  0 déc.  20 13:03 /etc/ntp/step-tickers

ntp/keys has been renewed.

Stopped ntpd, changed time to a wrong one, restarted ntpd, time was automatically updated and changed back.

Seems OK.

CC: (none) => olchal
Whiteboard: (none) => MGA4-64-OK

Comment 2 claire robinson 2014-12-20 14:01:11 CET 
Testing complete mga4 32

As Olivier in comment 1. Also checked ntp-keygen and verified it is using openssl.

# ntp-keygen
Using OpenSSL version OpenSSL 1.0.1e 11 Feb 2013
..etc

# ntptime
ntp_gettime() returns code 0 (OK)
  time d83ff070.c9896954  Sat, Dec 20 2014 12:56:16.787, (.787253342),
  maximum error 471737 us, estimated error 965 us, TAI offset 0
ntp_adjtime() returns code 0 (OK)
...etc

Whiteboard: MGA4-64-OK => MGA4-64-OK mga4-32-ok

Comment 3 claire robinson 2014-12-20 14:10:09 CET 
Advisory uploaded. Validating.

Could sysadmin please push to 4 updates

Thanks

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK mga4-32-ok => has_procedure advisory MGA4-64-OK mga4-32-ok

Comment 4 Mageia Robot 2014-12-20 14:51:36 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0541.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

David Walser 2014-12-22 19:58:34 CET

URL: (none) => http://lwn.net/Vulnerabilities/627312/