Bug 19843 - ntp new security issues (October 2016 upstream advisory)
Summary: ntp new security issues (October 2016 upstream advisory)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/707217/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-11-25 19:36 CET by David Walser
Modified: 2016-12-08 08:34 CET (History)
4 users (show)

See Also:
Source RPM: ntp-4.2.6p5-24.6.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-11-25 19:36:29 CET
Upstream has issued an advisory on November 21:
http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se

Patches added from Fedora, except CVE-2016-7433 which seems to not affect us but does them for some reason.  The other missing CVEs from upstream appear to only affect newer versions of ntp.

Advisory:
========================

Updated ntp packages fix security vulnerabilities:

When ntpd is configured with rate limiting for all associations (restrict
default limited in ntp.conf), the limits are applied also to responses received
from its configured sources. An attacker who knows the sources (e.g., from an
IPv4 refid in server response) and knows the system is (mis)configured in this
way can periodically send packets with spoofed source address to keep the rate
limiting activated and prevent ntpd from accepting valid responses from its
sources (CVE-2016-7426).

When ntpd receives a server response on a socket that corresponds to a
different interface than was used for the request, the peer structure is
updated to use the interface for new requests. If ntpd is running on a host
with multiple interfaces in separate networks and the operating system doesn't
check source address in received packets (e.g. rp_filter on Linux is set to
0), an attacker that knows the address of the source can send a packet with
spoofed source address which will cause ntpd to select wrong interface for the
source and prevent it from sending new requests until the list of interfaces
is refreshed, which happens on routing changes or every 5 minutes by default.
If the attack is repeated often enough (once per second), ntpd will not be
able to synchronize with the source (CVE-2016-7429).

An exploitable configuration modification vulnerability exists in the control
mode (mode 6) functionality of ntpd. If, against long-standing BCP
recommendations, "restrict default noquery ..." is not specified, a specially
crafted control mode packet can set ntpd traps, providing information
disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate
monitoring. A remote, unauthenticated, network attacker can trigger this
vulnerability (CVE-2016-9310).

If trap service, disabled by default, has been explicitly enabled, an attacker
can send a specially crafted packet to cause a null pointer dereference that
will crash ntpd, resulting in a denial of service (CVE-2016-9311).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7426
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311
https://bugzilla.redhat.com/show_bug.cgi?id=1397345
https://bugzilla.redhat.com/show_bug.cgi?id=1397341
https://bugzilla.redhat.com/show_bug.cgi?id=1397319
https://bugzilla.redhat.com/show_bug.cgi?id=1398350
http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se
========================

Updated packages in core/updates_testing:
========================
ntp-4.2.6p5-24.7.mga5
ntp-client-4.2.6p5-24.7.mga5
ntp-doc-4.2.6p5-24.7.mga5

from ntp-4.2.6p5-24.7.mga5.src.rpm
David Walser 2016-11-25 19:37:06 CET

Version: Cauldron => 5
Source RPM: ntp-4.2.6p5-31.mga6.src.rpm => ntp-4.2.6p5-24.6.mga5.src.rpm

Comment 1 Len Lawrence 2016-11-26 21:23:39 CET
Testing on x86_64 real hardware.
The backlinks lead to descriptions of the problems or deal with bug reporting infrastructure; nothing useful for QA as far as I can see.

Installed the updates and restarted ntpd then kept an eye on the Mate panel clock.
# systemctl restart ntpd
# systemctl status ntpd
â ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
   Active: active (running) since Sat 2016-11-26 20:15:30 GMT; 8s ago
  Process: 20495 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 20497 (ntpd)
   CGroup: /system.slice/ntpd.service
           ââ20497 /usr/sbin/ntpd -u ntp:ntp -g

Nov 26 20:15:30 belexeuli ntpd[20497]: Listen and drop on 1 v6wildcard :: U...23
Nov 26 20:15:30 belexeuli ntpd[20497]: Listen normally on 2 lo 127.0.0.1 UDP 123
Nov 26 20:15:30 belexeuli ntpd[20497]: Listen normally on 3 enp2s0 192.168....23
Nov 26 20:15:30 belexeuli ntpd[20497]: Listen normally on 4 lo ::1 UDP 123
Nov 26 20:15:30 belexeuli ntpd[20497]: Listen normally on 5 enp2s0 fe80::1a...23
Nov 26 20:15:30 belexeuli ntpd[20497]: peers refreshed
Nov 26 20:15:30 belexeuli ntpd[20497]: Listening on routing socket on fd #2...es
Nov 26 20:15:30 belexeuli ntpd[20497]: 0.0.0.0 c016 06 restart
Nov 26 20:15:30 belexeuli ntpd[20497]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
Nov 26 20:15:30 belexeuli ntpd[20497]: 0.0.0.0 c011 01 freq_not_set
Hint: Some lines were ellipsized, use -l to show in full.

Clock ticking nicely.  Checked timestamp on new file - OK.

Saying OK but leaving it open for comments.

CC: (none) => tarazed25

Len Lawrence 2016-11-26 21:23:58 CET

Whiteboard: (none) => MGA5-64-OK

Comment 2 Lewis Smith 2016-11-26 21:35:07 CET
The advisory from Comment 0 uploaded.

CC: (none) => lewyssmith
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Comment 3 David Walser 2016-12-07 15:07:05 CET
Working fine on Mageia 5 i586.  This can be validated.
David Walser 2016-12-07 17:27:13 CET

Whiteboard: MGA5-64-OK advisory => MGA5-32-OK MGA5-64-OK advisory

youpburden 2016-12-07 21:06:52 CET

Keywords: (none) => validated_update
CC: (none) => youpburden, sysadmin-bugs

Comment 4 Mageia Robot 2016-12-08 08:34:06 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0414.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.