Bug 15646

Summary: ntp new security issues CVE-2015-1798 and CVE-2015-1799
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: oe, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/639575/
Whiteboard: has_procedure advisory mga4-64-ok
Source RPM: ntp-4.2.6p5-23.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-04-07 19:10:47 CEST 
Upstream has announced two new security issues today (April 7):
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

There was some discussion of it on oss-security:
http://openwall.com/lists/oss-security/2015/04/07/4

Waiting for backported patches from Fedora.

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-07 19:10:53 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 Oden Eriksson 2015-04-08 07:50:03 CEST 
Proposed fixes are linked from these bugs:

http://bugs.ntp.org/show_bug.cgi?id=2779
http://bugs.ntp.org/show_bug.cgi?id=2781

CC: (none) => oe

Comment 3 Oden Eriksson 2015-04-08 09:26:05 CEST 
ntp-4.2.6p5-15.4.mga4 has been submitted to updates_testing with these patches. Patches has been added in cauldron.
Comment 4 Oden Eriksson 2015-04-08 12:22:06 CEST 
======================================================
Name: CVE-2015-1798
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20150217
Category: 
Reference: CONFIRM:http://bugs.ntp.org/show_bug.cgi?id=2779
Reference: CONFIRM:http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
Reference: CERT-VN:VU#374268
Reference: URL:http://www.kb.cert.org/vuls/id/374268

The symmetric-key feature in the receive function in ntp_proto.c in
ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC
field has a nonzero length, which makes it easier for
man-in-the-middle attackers to spoof packets by omitting the MAC.



======================================================
Name: CVE-2015-1799
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20150217
Category: 
Reference: CONFIRM:http://bugs.ntp.org/show_bug.cgi?id=2781
Reference: CONFIRM:http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
Reference: CERT-VN:VU#374268
Reference: URL:http://www.kb.cert.org/vuls/id/374268

The symmetric-key feature in the receive function in ntp_proto.c in
ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates
upon receiving certain invalid packets, which makes it easier for
man-in-the-middle attackers to cause a denial of service
(synchronization loss) by spoofing the source IP address of a peer.
Comment 5 David Walser 2015-04-08 13:36:31 CEST 
Thanks.  FYI, you misnamed the second patch as CVE-2015-2781 (2781 being the upstream bug number) instead of CVE-2015-1799.  I just fixed it in SVN.
Comment 6 Oden Eriksson 2015-04-08 14:22:00 CEST 
(In reply to David Walser from comment #5)
> Thanks.  FYI, you misnamed the second patch as CVE-2015-2781 (2781 being the
> upstream bug number) instead of CVE-2015-1799.  I just fixed it in SVN.

Oh, thanks.
Comment 7 David Walser 2015-04-08 14:43:20 CEST 
Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated ntp packages fix security vulnerabilities:

The symmetric-key feature in the receive function in ntp_proto.c in ntpd in
NTP before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero
length, which makes it easier for man-in-the-middle attackers to spoof packets
by omitting the MAC (CVE-2015-1798).

The symmetric-key feature in the receive function in ntp_proto.c in ntpd in
NTP before 4.2.8p2 performs state-variable updates upon receiving certain
invalid packets, which makes it easier for man-in-the-middle attackers to
cause a denial of service (synchronization loss) by spoofing the source IP
address of a peer (CVE-2015-1799).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
========================

Updated packages in core/updates_testing:
========================
ntp-4.2.6p5-15.5.mga4
ntp-client-4.2.6p5-15.5.mga4
ntp-doc-4.2.6p5-15.5.mga4

from ntp-4.2.6p5-15.5.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)
Severity: normal => major

David Walser 2015-04-08 19:54:59 CEST

URL: (none) => http://lwn.net/Vulnerabilities/639575/

Comment 8 claire robinson 2015-04-10 16:35:57 CEST 
Testing complete mga4 64

# systemctl status ntpd.service 
ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
   Active: active (running) since Fri 2015-04-10 15:25:56 BST; 3min 10s ago


# ntptime
ntp_gettime() returns code 0 (OK)
  time d8d25dd3.e5f44cf0  Fri, Apr 10 2015 15:33:55.898, (.898259141),
  maximum error 147614 us, estimated error 365 us, TAI offset 0
ntp_adjtime() returns code 0 (OK)
  modes 0x0 (),
  offset -670.415 us, frequency -35.717 ppm, interval 1 s,
  maximum error 147614 us, estimated error 365 us,
  status 0x2001 (PLL,NANO),
  time constant 6, precision 0.001 us, tolerance 500 ppm,

Whiteboard: (none) => has_procedure mga4-64-ok

Comment 9 claire robinson 2015-04-10 17:38:22 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2015-04-15 11:02:30 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0152.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED