Upstream has issued an advisory on January 19: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit Fedora has backported fixes for some, but not all of these issues, and two of the issues were not fixed upstream either, but there's a mitigation for them. Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated ntp packages fix security vulnerabilities: In ntpd before 4.2.8p6, when used with symmetric key encryption, the client would accept packets encrypted with keys for any configured server, allowing a server to impersonate other servers to clients, thus performing a man-in- the-middle attack. A server can be attacked by a client in a similar manner (CVE-2015-7974). A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process (CVE-2015-7977). A stack-based buffer overflow was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process (CVE-2015-7978). It was found that when NTP is configured in broadcast mode, an off-path attacker could broadcast packets with bad authentication (wrong key, mismatched key, incorrect MAC, etc) to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server. This could cause the time on affected clients to become out of sync over a longer period of time (CVE-2015-7979). A faulty protection against spoofing and replay attacks allows an attacker to disrupt synchronization with kiss-of-death packets, take full control of the clock, or cause ntpd to crash (CVE-2015-8138). A flaw was found in the way the ntpq client certain processed incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance (CVE-2015-8158). The ntp package has been patched to fix these issues and a few other bugs. Note that there are still some unfixed issues. Two of those issues, CVE-2015-8139 and CVE-2015-8140, are vulnerabilities to spoofing and replay attacks that can be mitigated by either adding the noquery option to all restrict entries in ntp.conf, configuring ntpd to get time from multiple sources, or using a restriction list to limit who is allowed to issue ntpq and ntpdc queries. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158 https://github.com/ntp-project/ntp/commit/71a962710bfe066f76da9679cf4cfdeffe34e95e http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit http://www.talosintel.com/reports/TALOS-2016-0071/ http://www.talosintel.com/reports/TALOS-2016-0074/ http://www.talosintel.com/reports/TALOS-2016-0075/ http://www.talosintel.com/reports/TALOS-2016-0076/ http://www.talosintel.com/reports/TALOS-2016-0077/ http://www.talosintel.com/reports/TALOS-2016-0080/ https://bugzilla.redhat.com/show_bug.cgi?id=1297471 https://bugzilla.redhat.com/show_bug.cgi?id=1299442 https://bugzilla.redhat.com/show_bug.cgi?id=1300269 https://bugzilla.redhat.com/show_bug.cgi?id=1300270 https://bugzilla.redhat.com/show_bug.cgi?id=1300271 https://bugzilla.redhat.com/show_bug.cgi?id=1300273 ======================== Updated packages in core/updates_testing: ======================== ntp-4.2.6p5-24.4.mga5 ntp-client-4.2.6p5-24.4.mga5 ntp-doc-4.2.6p5-24.4.mga5 from ntp-4.2.6p5-24.4.mga5.src.rpm Reproducible: Steps to Reproduce:
Notes to QA: 1) CVE-2015-8138 is the high severity issue. 2) Do not list CVE-2015-8139 or CVE-2015-8140 in the CVE list in the advisory in SVN, as we're not fixing those, only listing a mitigation. Other issues from the upstream advisory not fixed in this update... Do not affect us (only affect 4.2.8): http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975 http://www.talosintel.com/reports/TALOS-2016-0072/ https://bugzilla.redhat.com/show_bug.cgi?id=1300267 Do affect us, but still not fixed: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976 http://www.talosintel.com/reports/TALOS-2016-0070/ http://www.talosintel.com/reports/TALOS-2016-0073/ https://bugzilla.redhat.com/show_bug.cgi?id=1300266 https://bugzilla.redhat.com/show_bug.cgi?id=1300268
Additional statement for the advisory about the unfixed issues: Additionally, the other unfixed issues can also be mitigated. CVE-2015-7973, a replay attack issue, can be mitigated by not using broadcast mode, and CVE-2015-7976, a bug that can cause globbing issues on the server, can be mitigated by restricting use of the "saveconfig" command with the "restrict nomodify" directive.
mga5 x86_64 Mate Experimented with ntp and the hardware clock before updating but failed to fins a way to affect the system time. Example follows. # systemctl stop ntpd.service # OK [root@vega lcl]# hwclock -r Mon 25 Jan 2016 08:34:35 GMT -0.937759 seconds [root@vega lcl]# hwclock --set --date="2016-01-25 07:09:10" [root@vega lcl]# hwclock -r Mon 25 Jan 2016 07:09:59 GMT -0.285900 seconds [root@vega lcl]# hwclock --hctosys [root@vega lcl]# hwclock -r Mon 25 Jan 2016 07:14:31 GMT -0.812774 seconds This had no effect on the time displayed in the panel which continued updating to the actual time (UT). Resynced with the hardware clock: # hwclock --hctosys Conclusion = no simple way to test this. Installed the update candidate packages and enabled the ntpd service. The time certainly looks correct. The hardware clock agrees to the second with my radio clock which is also in sync with the displayed time.
CC: (none) => tarazed25
mga5 i586 virtualbox Mate Replaced the incumbent ntp with the update candidate and cheked that the ntp daemon was running. It was. The system time agrees with the hardware clock to a fifth of a second and they keep in time with my radio-controlled clock. Looks good.
Whiteboard: (none) => MGA5-64-OK MGA5-32-OK
RedHat has issued an advisory for the most serious issue, CVE-2015-8138: https://rhn.redhat.com/errata/RHSA-2016-0063.html from http://lwn.net/Vulnerabilities/673451/
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0039.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/674069/
Fedora has issued an advisory for this on January 30: https://lists.fedoraproject.org/pipermail/package-announce/2016-January/176434.html
(In reply to David Walser from comment #1) > Do not affect us (only affect 4.2.8): > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975 > http://www.talosintel.com/reports/TALOS-2016-0072/ > https://bugzilla.redhat.com/show_bug.cgi?id=1300267 > > Do affect us, but still not fixed: > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976 > http://www.talosintel.com/reports/TALOS-2016-0070/ > http://www.talosintel.com/reports/TALOS-2016-0073/ > https://bugzilla.redhat.com/show_bug.cgi?id=1300266 > https://bugzilla.redhat.com/show_bug.cgi?id=1300268 LWN reference: http://lwn.net/Vulnerabilities/677115/
LWN reference for CVE-2015-8139 and CVE-2015-8140: http://lwn.net/Vulnerabilities/685493/