Bug 17606

Summary:	ntp new security issues from TALOS fixed upstream in 4.2.8p6
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	davidwhodgins, sysadmin-bugs, tarazed25
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/674069/
Whiteboard:	MGA5-64-OK MGA5-32-OK advisory
Source RPM:	ntp-4.2.6p5-24.3.mga5.src.rpm	CVE:
Status comment:

Description David Walser 2016-01-25 02:53:42 CET

Upstream has issued an advisory on January 19:
http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit

Fedora has backported fixes for some, but not all of these issues, and two of the issues were not fixed upstream either, but there's a mitigation for them.

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated ntp packages fix security vulnerabilities:

In ntpd before 4.2.8p6, when used with symmetric key encryption, the client
would accept packets encrypted with keys for any configured server, allowing
a server to impersonate other servers to clients, thus performing a man-in-
the-middle attack. A server can be attacked by a client in a similar manner
(CVE-2015-7974).

A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc
reslist' commands that queried restriction lists with a large amount of
entries. A remote attacker could use this flaw to crash the ntpd process
(CVE-2015-7977).

A stack-based buffer overflow was found in the way ntpd processed 'ntpdc
reslist' commands that queried restriction lists with a large amount of
entries. A remote attacker could use this flaw to crash the ntpd process
(CVE-2015-7978).

It was found that when NTP is configured in broadcast mode, an off-path
attacker could broadcast packets with bad authentication (wrong key,
mismatched key, incorrect MAC, etc) to all clients. The clients, upon
receiving the malformed packets, would break the association with the
broadcast server. This could cause the time on affected clients to become
out of sync over a longer period of time (CVE-2015-7979).

A faulty protection against spoofing and replay attacks allows an attacker to
disrupt synchronization with kiss-of-death packets, take full control of the
clock, or cause ntpd to crash (CVE-2015-8138).

A flaw was found in the way the ntpq client certain processed incoming packets
in a loop in the getresponse() function. A remote attacker could potentially
use this flaw to crash an ntpq client instance (CVE-2015-8158).

The ntp package has been patched to fix these issues and a few other bugs.

Note that there are still some unfixed issues.  Two of those issues,
CVE-2015-8139 and CVE-2015-8140, are vulnerabilities to spoofing and replay
attacks that can be mitigated by either adding the noquery option to all
restrict entries in ntp.conf, configuring ntpd to get time from multiple
sources, or using a restriction list to limit who is allowed to issue ntpq
and ntpdc queries.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158
https://github.com/ntp-project/ntp/commit/71a962710bfe066f76da9679cf4cfdeffe34e95e
http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
http://www.talosintel.com/reports/TALOS-2016-0071/
http://www.talosintel.com/reports/TALOS-2016-0074/
http://www.talosintel.com/reports/TALOS-2016-0075/
http://www.talosintel.com/reports/TALOS-2016-0076/
http://www.talosintel.com/reports/TALOS-2016-0077/
http://www.talosintel.com/reports/TALOS-2016-0080/
https://bugzilla.redhat.com/show_bug.cgi?id=1297471
https://bugzilla.redhat.com/show_bug.cgi?id=1299442
https://bugzilla.redhat.com/show_bug.cgi?id=1300269
https://bugzilla.redhat.com/show_bug.cgi?id=1300270
https://bugzilla.redhat.com/show_bug.cgi?id=1300271
https://bugzilla.redhat.com/show_bug.cgi?id=1300273
========================

Updated packages in core/updates_testing:
========================
ntp-4.2.6p5-24.4.mga5
ntp-client-4.2.6p5-24.4.mga5
ntp-doc-4.2.6p5-24.4.mga5

from ntp-4.2.6p5-24.4.mga5.src.rpm

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2016-01-25 02:56:02 CET

Notes to QA:

1) CVE-2015-8138 is the high severity issue.
2) Do not list CVE-2015-8139 or CVE-2015-8140 in the CVE list in the advisory in SVN, as we're not fixing those, only listing a mitigation.

Other issues from the upstream advisory not fixed in this update...

Do not affect us (only affect 4.2.8):
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975
http://www.talosintel.com/reports/TALOS-2016-0072/
https://bugzilla.redhat.com/show_bug.cgi?id=1300267

Do affect us, but still not fixed:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976
http://www.talosintel.com/reports/TALOS-2016-0070/
http://www.talosintel.com/reports/TALOS-2016-0073/
https://bugzilla.redhat.com/show_bug.cgi?id=1300266
https://bugzilla.redhat.com/show_bug.cgi?id=1300268

Comment 2 David Walser 2016-01-25 03:02:43 CET

Additional statement for the advisory about the unfixed issues:

Additionally, the other unfixed issues can also be mitigated.  CVE-2015-7973,
a replay attack issue, can be mitigated by not using broadcast mode, and
CVE-2015-7976, a bug that can cause globbing issues on the server, can be
mitigated by restricting use of the "saveconfig" command with the "restrict
nomodify" directive.

Comment 3 Len Lawrence 2016-01-25 10:10:30 CET

mga5  x86_64  Mate

Experimented with ntp and the hardware clock before updating but failed to fins a way to affect the system time.  Example follows.

# systemctl stop ntpd.service                    # OK

[root@vega lcl]# hwclock -r
Mon 25 Jan 2016 08:34:35 GMT  -0.937759 seconds
[root@vega lcl]# hwclock --set --date="2016-01-25 07:09:10"
[root@vega lcl]# hwclock -r
Mon 25 Jan 2016 07:09:59 GMT  -0.285900 seconds
[root@vega lcl]# hwclock --hctosys
[root@vega lcl]#  hwclock -r
Mon 25 Jan 2016 07:14:31 GMT  -0.812774 seconds

This had no effect on the time displayed in the panel which continued updating to the actual time (UT).

Resynced with the hardware clock:
# hwclock --hctosys

Conclusion = no simple way to test this.

Installed the update candidate packages and enabled the ntpd service.  The time certainly looks correct.  The hardware clock agrees to the second with my radio clock which is also in sync with the displayed time.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2016-01-25 13:47:27 CET

mga5  i586 virtualbox  Mate

Replaced the incumbent ntp with the update candidate and cheked that the ntp daemon was running.  It was.  The system time agrees with the hardware clock to a fifth of a second and they keep in time with my radio-controlled clock.

Looks good.

Len Lawrence 2016-01-25 13:48:37 CET

Whiteboard: (none) => MGA5-64-OK MGA5-32-OK

Comment 5 David Walser 2016-01-25 20:29:38 CET

RedHat has issued an advisory for the most serious issue, CVE-2015-8138:
https://rhn.redhat.com/errata/RHSA-2016-0063.html

from http://lwn.net/Vulnerabilities/673451/

Dave Hodgins 2016-01-26 18:20:01 CET

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2016-01-29 12:03:46 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0039.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-01-29 20:43:39 CET

URL: (none) => http://lwn.net/Vulnerabilities/674069/

Comment 7 David Walser 2016-02-01 17:12:24 CET

Fedora has issued an advisory for this on January 30:
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/176434.html

Comment 8 David Walser 2016-02-24 18:31:09 CET

(In reply to David Walser from comment #1)
> Do not affect us (only affect 4.2.8):
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975
> http://www.talosintel.com/reports/TALOS-2016-0072/
> https://bugzilla.redhat.com/show_bug.cgi?id=1300267
> 
> Do affect us, but still not fixed:
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976
> http://www.talosintel.com/reports/TALOS-2016-0070/
> http://www.talosintel.com/reports/TALOS-2016-0073/
> https://bugzilla.redhat.com/show_bug.cgi?id=1300266
> https://bugzilla.redhat.com/show_bug.cgi?id=1300268

LWN reference:
http://lwn.net/Vulnerabilities/677115/

Comment 9 David Walser 2016-04-29 20:28:10 CEST

LWN reference for CVE-2015-8139 and CVE-2015-8140:
http://lwn.net/Vulnerabilities/685493/