Bug 26851

Summary: ntp new security issue fixed upstream in 4.2.8p15 (CVE-2020-15025)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, mageia, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: ntp-4.2.8p14-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-06-23 17:09:16 CEST 
Upstream has issued an advisory today (June 23):
http://support.ntp.org/bin/view/Main/SecurityNotice#June_2020_ntp_4_2_8p15_NTP_Relea
http://support.ntp.org/bin/view/Main/NtpBug3661

The issue has been fixed in 4.2.8p15.

Mageia 7 is also affected.
David Walser 2020-06-23 17:09:31 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 4.2.8p15

Comment 1 Lewis Smith 2020-06-23 22:01:20 CEST 
Assigning to NicolasS as having done the most recent updates to this SRPM (which has no registered maintainer).

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2020-06-24 09:39:01 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Memory leak with CMAC keys.

References:
http://support.ntp.org/bin/view/Main/SecurityNotice#June_2020_ntp_4_2_8p15_NTP_Relea
http://support.ntp.org/bin/view/Main/NtpBug3661
========================

Updated packages in core/updates_testing:
========================
ntp-4.2.8p15-1.mga7
ntp-perl-4.2.8p15-1.mga7.noarch.rpm
ntpdate-4.2.8p15-1.mga7
sntp-4.2.8p15-1.mga7
ntp-doc-4.2.8p15-1.mga7

from SRPMS:
ntp-4.2.8p15-1.mga7.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA7TOO => (none)
Assignee: nicolas.salguero => qa-bugs
Status comment: Fixed upstream in 4.2.8p15 => (none)
Version: Cauldron => 7

Comment 3 Len Lawrence 2020-06-26 13:45:51 CEST 
mga7, x86_64

Before updates ntpd was available but not running.  Installed the packages which were missing then updated from testing.

Restarted the server then:
$ sudo systemctl status ntpd
● ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; disabled; vendor prese>
   Active: active (running) since Fri 2020-06-26 12:20:04 BST; 12s ago
  Process: 5887 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, stat>
 Main PID: 5889 (ntpd)
   Memory: 1.4M
   CGroup: /system.slice/ntpd.service
           └─5889 /usr/sbin/ntpd -u ntp:ntp -g

Jun 26 12:20:04 difda ntpd[5889]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Jun 26 12:20:04 difda ntpd[5889]: Listen normally on 2 lo 127.0.0.1:123
Jun 26 12:20:04 difda ntpd[5889]: Listen normally on 3 enp3s0 192.168.1.103:123
Jun 26 12:20:04 difda ntpd[5889]: Listen normally on 4 lo [::1]:123
Jun 26 12:20:04 difda ntpd[5889]: Listen normally on 5 enp3s0 [fe80::dacb:8aff:>
Jun 26 12:20:04 difda ntpd[5889]: Listening on routing socket on fd #22 for int>
Jun 26 12:20:04 difda ntpd[5889]: kernel reports TIME_ERROR: 0x41: Clock Unsync>
Jun 26 12:20:04 difda ntpd[5889]: kernel reports TIME_ERROR: 0x41: Clock Unsync>
Jun 26 12:20:04 difda systemd[1]: Started Network Time Service.
Jun 26 12:20:05 difda ntpd[5889]: Soliciting pool server 185.53.93.157

Used mcc to check the time and assign a pool server.

Restarted ntpd and observed that the pool server had changed:
...
Jun 26 12:40:04 difda systemd[1]: Started Network Time Service.
Jun 26 12:40:06 difda ntpd[9317]: Soliciting pool server 81.21.65.168

$ nslookup 81.21.65.168
168.65.21.81.in-addr.arpa	canonical name = 168.128-255.65.21.81.in-addr.arpa.
168.128-255.65.21.81.in-addr.arpa	name = ns3.turbodns.co.uk.

Could not get the hang of sntp.  Ran it at the cli to change the polling interval but it kept falling over on hostname.  Apart from that the service works fine.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2020-06-27 22:55:20 CEST 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 David Walser 2020-07-01 22:37:09 CEST 
SUSE has issued an advisory for this on June 30.  It has a CVE.

Suggested advisory:
========================

Updated ntp packages fix security vulnerability:

ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remote
attackers to cause a denial of service (memory consumption) by sending packets,
because memory is not freed in situations where a CMAC key is used and
associated with a CMAC algorithm in the ntp.keys file (CVE-2020-15025).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15025
http://support.ntp.org/bin/view/Main/NtpBug3661
http://support.ntp.org/bin/view/Main/SecurityNotice#June_2020_ntp_4_2_8p15_NTP_Relea
https://lists.suse.com/pipermail/sle-security-updates/2020-June/007056.html

Summary: ntp new security issue fixed upstream in 4.2.8p15 => ntp new security issue fixed upstream in 4.2.8p15 (CVE-2020-15025)

Nicolas Lécureuil 2020-07-05 21:15:18 CEST

CC: (none) => mageia
Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-07-05 21:49:36 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0281.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 7 David Walser 2020-07-07 22:59:03 CEST 
openSUSE claims this fixed CVE-2018-8956 as well:
https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html