Bug 16322 - ntp new security issue CVE-2015-5146, CVE-2015-519[4-6], CVE-2015-5219
Summary: ntp new security issue CVE-2015-5146, CVE-2015-519[4-6], CVE-2015-5219
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/650404/
Whiteboard: MGA4TOO advisory MGA5-64-OK MGA4-32-O...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-07-07 20:17 CEST by David Walser
Modified: 2015-10-23 18:29 CEST (History)
2 users (show)

See Also:
Source RPM: ntp-4.2.6p5-24.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-07-07 20:17:04 CEST
Upstream has issued an advisory in June:
http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi

This is a very minor issue.  Basically, someone who has access from a remote machine to configure ntpd can also shut down (crash) ntpd.  Remote configuration is also not enabled by default.

The RedHat bug for this is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1238136

Reproducible: 

Steps to Reproduce:
David Walser 2015-07-07 20:17:12 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-08-25 13:42:43 CEST
A few more minor security issues in ntp have been announced:
http://openwall.com/lists/oss-security/2015/08/25/3

Fixes are linked in the message above.

Summary: ntp new security issue CVE-2015-5146 => ntp new security issue CVE-2015-5146, CVE-2015-519[4-6], CVE-2015-5219

Comment 2 David Walser 2015-09-02 19:40:23 CEST
Fedora has submitted an update for these issues to their QA:
https://bodhi.fedoraproject.org/updates/ntp-4.2.6p5-33.fc22

Advisory:
========================

Updated audit packages fix security vulnerability:

A flaw was found in the way ntpd processed certain remote configuration
packets. An attacker could use a specially crafted package to cause ntpd to
crash if the attacker had authenticated access to remote ntpd configuration
(CVE-2015-5146).

It was found that ntpd could crash due to an uninitialized variable when
processing malformed logconfig configuration commands, for example,
ntpq -c ":config logconfig a" (CVE-2015-5194).

It was found that ntpd exits with a segmentation fault when a statistics
type that was not enabled during compilation (e.g. timingstats) is
referenced by the statistics or filegen configuration command, for example,
ntpq -c ':config statistics timingstats'
ntpq -c ':config filegen timingstats' (CVE-2015-5195).

It was found that the :config command can be used to set the pidfile and
driftfile paths without any restrictions. A remote attacker could use
this flaw to overwrite a file on the file system with a file containing
the pid of the ntpd process (immediately) or the current estimated drift
of the system clock (in hourly intervals). For example,
ntpq -c ':config pidfile /tmp/ntp.pid'
ntpq -c ':config driftfile /tmp/ntp.drift' (CVE-2015-5196).

It was discovered that sntp would hang in an infinite loop when a
crafted NTP packet was received, related to the conversion of the
precision value in the packet to double (CVE-2015-5219).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5219
http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi
http://openwall.com/lists/oss-security/2015/08/25/3
========================

Updated packages in core/updates_testing:
========================
ntp-4.2.6p5-15.6.mga4
ntp-client-4.2.6p5-15.6.mga4
ntp-doc-4.2.6p5-15.6.mga4
ntp-4.2.6p5-24.1.mga5
ntp-client-4.2.6p5-24.1.mga5
ntp-doc-4.2.6p5-24.1.mga5

from SRPMS:
ntp-4.2.6p5-15.6.mga4.src.rpm
ntp-4.2.6p5-24.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 3 Shlomi Fish 2015-09-07 19:14:14 CEST
Hi! I'm going to test this update on (in rough order):

* MGA5-64
* MGA4-32
* MGA5-32
* MGA4-64

All on VBox VMs.

CC: (none) => shlomif

Comment 4 Shlomi Fish 2015-09-07 19:26:57 CEST
Marking as MGA5-64-OK.

Whiteboard: MGA4TOO => MGA4TOO MGA5-64-OK

Comment 5 Shlomi Fish 2015-09-07 19:31:40 CEST
Marking as MGA4-32-OK .

Whiteboard: MGA4TOO MGA5-64-OK => MGA4TOO MGA5-64-OK MGA4-32-OK

Comment 6 Shlomi Fish 2015-09-07 19:35:40 CEST
Marking as MGA5-32-OK .

Whiteboard: MGA4TOO MGA5-64-OK MGA4-32-OK => MGA4TOO MGA5-64-OK MGA4-32-OK MGA5-32-OK

Comment 7 Shlomi Fish 2015-09-07 19:45:55 CEST
Marking as MGA4-64-OK. I think the update can be validated.

Whiteboard: MGA4TOO MGA5-64-OK MGA4-32-OK MGA5-32-OK => MGA4TOO MGA5-64-OK MGA4-32-OK MGA5-32-OK MGA4-64-OK

Comment 8 Rémi Verschelde 2015-09-07 21:00:24 CEST
(In reply to Shlomi Fish from comment #7)
> I think the update can be validated.

Then feel free to do it by added the validated_update keyword. It's not an issue if the advisory has not been uploaded yet, on the contrary it makes the need for it more visible on madb.
Comment 9 Shlomi Fish 2015-09-07 21:20:32 CEST
(In reply to Rémi Verschelde from comment #8)
> (In reply to Shlomi Fish from comment #7)
> > I think the update can be validated.
> 
> Then feel free to do it by added the validated_update keyword. It's not an
> issue if the advisory has not been uploaded yet, on the contrary it makes
> the need for it more visible on madb.

Done.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 claire robinson 2015-09-08 15:32:35 CEST
Advisory uploaded. s/audit/ntp/
claire robinson 2015-09-08 15:33:03 CEST

Whiteboard: MGA4TOO MGA5-64-OK MGA4-32-OK MGA5-32-OK MGA4-64-OK => MGA4TOO advisory MGA5-64-OK MGA4-32-OK MGA5-32-OK MGA4-64-OK

Comment 11 Mageia Robot 2015-09-08 19:57:31 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0348.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 12 David Walser 2015-09-09 19:47:41 CEST
LWN reference for CVE-2015-5194 CVE-2015-5195 CVE-2015-5196 CVE-2015-5219:
http://lwn.net/Vulnerabilities/656982/
Comment 13 David Walser 2015-10-23 18:29:22 CEST
CVE-2015-5196 is now known as CVE-2015-7703:
http://openwall.com/lists/oss-security/2015/10/23/13

Note You need to log in before you can comment on or make changes to this bug.