Bug 18617

Summary: ntp new security issues (June 2016 upstream advisory)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/690012/
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Source RPM: ntp-4.2.6p5-24.5.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-06-03 20:26:20 CEST 
Upstream has issued an advisory on June 2:
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

Fedora has updates for this currently on QA:
https://bodhi.fedoraproject.org/updates/FEDORA-2016-89e0874533

Fedora has noted that CVE-2016-4953 was fixed with the patch for CVE-2016-1547.  Furthermore, we're not affected by CVE-2016-4957, as this was caused by upstream's fix for the same issue, but RedHat/Fedora's fix was better.

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated ntp packages fix security vulnerabilities:

ntpq and ntpdc disclose the origin timestamp to unauthenticated clients, which
may allow an attacker to impersonate a legitimate peer (CVE-2015-8139).

An attacker who is able to spoof packets with correct origin timestamps from
enough servers before the expected response packets arrive at the target
machine can affect some peer variables and, for example, cause a false leap
indication to be set (CVE-2016-4954).

An attacker who is able to spoof a packet with a correct origin timestamp
before the expected response packet arrives at the target machine can send a
CRYPTO_NAK or a bad MAC and cause the association's peer variables to be
cleared. If this can be done often enough, it will prevent that association
from working (CVE-2016-4955).

The fix for CVE-2016-1548 does not cover broadcast associations, so broadcast
clients can be triggered to flip into interleave mode (CVE-2016-4956).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8139
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956
http://support.ntp.org/bin/view/Main/SecurityNotice#June_2016_ntp_4_2_8p8_NTP_Securi
========================

Updated packages in core/updates_testing:
========================
ntp-4.2.6p5-24.6.mga5
ntp-client-4.2.6p5-24.6.mga5
ntp-doc-4.2.6p5-24.6.mga5

from ntp-4.2.6p5-24.6.mga5.src.rpm
Comment 1 Len Lawrence 2016-06-04 10:01:35 CEST 
x86_64

Installed this yesterday.  Running with the default /etc/ntp.conf file and default settings.
$ systemctl status ntpd.service
â ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
   Active: active (running) since Fri 2016-06-03 22:59:58 BST; 9h ago
 Main PID: 27056 (ntpd)
   CGroup: /system.slice/ntpd.service
           ââ27056 /usr/sbin/ntpd -u ntp:ntp -g

The -g option prevents a first time exit if the the time difference between the system clock and the NTP server is greater than the panic threshold.

The date command returns a time agreeing with a local radio-controlled clock.

Good for 64-bits.

CC: (none) => tarazed25

Len Lawrence 2016-06-04 10:01:54 CEST

Whiteboard: (none) => MGA5-64-OK

Len Lawrence 2016-06-04 10:10:10 CEST

Whiteboard: MGA5-64-OK => (none)

Comment 2 Len Lawrence 2016-06-04 10:26:06 CEST 
Paying more attention to the advisory...

Ran the ntpq and ntpdc commands in listing mode to ensure that they worked.

$ sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+hotel.zq1.de    122.227.206.195  3 u  873 1024  377   35.857   -0.269   0.727
*ntp1.ivlan.net  46.46.152.214    2 u  633 1024  377   70.572   -0.627   1.771
+admin2.debrecen 185.219.2.214    2 u  802 1024  377   52.409    0.619   3.115

$ sudo ntpdc -l
client    admin2.debrecen.hpc.niif.hu
client    hotel.zq1.de
client    ntp1.ivlan.net

$ sudo ntpdc -s
     remote           local      st poll reach  delay   offset    disp
=======================================================================
.admin2.debrecen 192.168.1.103    2 1024  377 0.05118  0.000156 0.12442
.hotel.zq1.de    192.168.1.103    3 1024  377 0.03584 -0.000269 0.13914
*ntp1.ivlan.net  192.168.1.103    2 1024  377 0.07056 -0.000627 0.13885

$ sudo ntpdc -c peers
     remote           local      st poll reach  delay   offset    disp
=======================================================================
=admin2.debrecen 192.168.1.103    2 1024  377 0.05118  0.000156 0.12442
=hotel.zq1.de    192.168.1.103    3 1024  377 0.03584 -0.000269 0.13914
*ntp1.ivlan.net  192.168.1.103    2 1024  377 0.07047 -0.000063 0.12364
Len Lawrence 2016-06-04 10:26:33 CEST

Whiteboard: (none) => MGA5-64-OK

Comment 3 Len Lawrence 2016-06-05 21:26:23 CEST 
Updating on 1586 virtualbox

# systemctl restart ntpd.service
# systemctl status ntpd.service
â ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
   Active: active (running) since Sun 2016-06-05 20:16:52 BST; 17s ago
  Process: 5278 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 5280 (ntpd)
   CGroup: /system.slice/ntpd.service
           ââ5280 /usr/sbin/ntpd -u ntp:ntp -g

Jun 05 20:16:52 alkaid ntpd[5280]: Listen and drop on 1 v6wildcard :: UDP 123
Jun 05 20:16:52 alkaid ntpd[5280]: Listen normally on 2 lo 127.0.0.1 UDP 123
Jun 05 20:16:52 alkaid ntpd[5280]: Listen normally on 3 enp0s3 192.168.1.10...23
Jun 05 20:16:52 alkaid ntpd[5280]: Listen normally on 4 lo ::1 UDP 123
Jun 05 20:16:52 alkaid ntpd[5280]: Listen normally on 5 enp0s3 fe80::a00:27...23
Jun 05 20:16:52 alkaid ntpd[5280]: peers refreshed
Jun 05 20:16:52 alkaid ntpd[5280]: Listening on routing socket on fd #22 fo...es
Jun 05 20:16:52 alkaid ntpd[5280]: 0.0.0.0 c016 06 restart
Jun 05 20:16:52 alkaid ntpd[5280]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
Jun 05 20:16:52 alkaid ntpd[5280]: 0.0.0.0 c011 01 freq_not_set
Hint: Some lines were ellipsized, use -l to show in full.

Displayed time is correct.

$ sudo ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 146.185.139.19  210.240.96.206   2 u   25   64    7   25.238    0.102   0.912
 mirror.muntinte 193.190.230.65   2 u   25   64    7   31.695    0.818   0.732
 ns1.rx-name.net 232.213.183.238  3 u   23   64    7   77.356    1.007   4.172
[lcl@alkaid ~]$ sudo ntpdc -l
client    ns1.rx-name.net
client    146.185.139.19
client    mirror.muntinternet.net
[lcl@alkaid ~]$ sudo ntpdc -s
     remote           local      st poll reach  delay   offset    disp
=======================================================================
 ns1.rx-name.net 192.168.1.109    3   64   17 0.07735  0.001007 0.96913
 146.185.139.19  192.168.1.109    2   64   17 0.02524  0.000102 0.96933
*mirror.muntinte 192.168.1.109    2   64   17 0.03140  0.000139 0.96870
[lcl@alkaid ~]$ sudo ntpdc -c peers
     remote           local      st poll reach  delay   offset    disp
=======================================================================
=ns1.rx-name.net 192.168.1.109    3   64   17 0.07735  0.001007 0.96913
=146.185.139.19  192.168.1.109    2   64   17 0.02524  0.000102 0.96933
*mirror.muntinte 192.168.1.109    2   64   17 0.03140  0.000139 0.96870
Comment 4 Len Lawrence 2016-06-05 21:29:18 CEST 
It occurred to me that I might not have restarted the NTP daemon after updating.
# systemctl start ntpd.service
# systemctl status ntpd.service
â ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
   Active: active (running) since Sun 2016-06-05 20:23:58 BST; 10s ago
  Process: 9365 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 9367 (ntpd)
   CGroup: /system.slice/ntpd.service
           ââ9367 /usr/sbin/ntpd -u ntp:ntp -g

Jun 05 20:23:58 difda ntpd[9367]: Listen and drop on 1 v6wildcard :: UDP 123
Jun 05 20:23:58 difda ntpd[9367]: Listen normally on 2 lo 127.0.0.1 UDP 123
Jun 05 20:23:58 difda ntpd[9367]: Listen normally on 3 enp3s0 192.168.1.50 UDP 123
Jun 05 20:23:58 difda ntpd[9367]: Listen normally on 4 lo ::1 UDP 123
Jun 05 20:23:58 difda ntpd[9367]: Listen normally on 5 enp3s0 fe80::dacb:8aff:fe52:52b4 UDP 123
Jun 05 20:23:58 difda ntpd[9367]: peers refreshed
Jun 05 20:23:58 difda ntpd[9367]: Listening on routing socket on fd #22 for interface updates
Jun 05 20:23:58 difda ntpd[9367]: 0.0.0.0 c016 06 restart
Jun 05 20:23:58 difda ntpd[9367]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
Jun 05 20:23:58 difda ntpd[9367]: 0.0.0.0 c011 01 freq_not_set
Len Lawrence 2016-06-05 21:30:42 CEST

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

Comment 5 Len Lawrence 2016-06-05 21:31:56 CEST 
Validating this.  Could someone from sysadmin please push to 5 updates.
Thanks.
Len Lawrence 2016-06-05 21:32:11 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

David Walser 2016-06-06 18:36:39 CEST

URL: (none) => http://lwn.net/Vulnerabilities/690012/

Dave Hodgins 2016-06-07 20:16:18 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory

Comment 6 Mageia Robot 2016-06-07 23:40:43 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0219.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED