23505 – ntp new security issue CVE-2018-12327

Bug 23505 - ntp new security issue CVE-2018-12327

Summary: ntp new security issue CVE-2018-12327

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-32-OK MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2018-08-31 19:11 CEST by David Walser
Modified:	2018-09-13 22:39 CEST (History)
CC List:	9 users (show)

See Also:
Source RPM:	ntp-4.2.8p11-1.1.mga6.src.rpm
CVE:	CVE-2018-12327
Status comment:

Attachments
ntpdate fail systemctl code (27.16 KB, text/plain) 2018-09-06 19:40 CEST, William Kenney	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-08-31 19:11:24 CEST

Fedora has issued an advisory on August 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/437XM4CMBCMPK7D2RSEUZIRLFZD5ZNRD/

Mageia 5 and Mageia 6 are also affected.

David Walser 2018-08-31 19:11:29 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-09-01 09:06:53 CEST

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some who worked on ntp before.

Assignee: bugsquad => pkg-bugs
Source RPM: (none) => ntp
CC: (none) => guichard.adrien, guillomovitch, lists.jjorge, marja11

Comment 2 Nicolas Salguero 2018-09-05 09:39:07 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq or ntpdc is used with a command line from an untrusted source. (CVE-2018-12327)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12327
========================

Updated packages in core/updates_testing:
========================
ntp-4.2.8p12-1.mga6
ntp-perl-4.2.8p12-1.mga6
ntpdate-4.2.8p12-1.mga6
sntp-4.2.8p12-1.mga6
ntp-doc-4.2.8p12-1.mga6

from SRPMS:
ntp-4.2.8p12-1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Source RPM: ntp => ntp-4.2.8p11-1.1.mga6.src.rpm

Nicolas Salguero 2018-09-05 09:39:27 CEST

CVE: (none) => CVE-2018-12327

Thomas Backlund 2018-09-05 13:06:12 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 3 William Kenney 2018-09-06 18:56:13 CEST

In VirtualBox, M6, Mate, 64-bit

Test procedure per:

https://bugs.mageia.org/show_bug.cgi?id=22978#c9

Package(s) under test:
ntp ntpdata

default install of ntp & ntpdate

[root@localhost wilcal]# urpmi ntp
Package ntp-4.2.8p11-1.1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi ntpdate
Package ntpdate-4.2.8p11-1.1.mga6.x86_64 is already installed

[root@localhost wilcal]# systemctl stop ntpd
[root@localhost wilcal]# systemctl start ntpdate
[root@localhost wilcal]# systemctl status ntpdate
● ntpdate.service - Set time via NTP
   Loaded: loaded (/usr/lib/systemd/system/ntpdate.service; disabled; vendor preset: enabled)
   Active: active (exited) since Thu 2018-09-06 09:43:33 PDT; 23s ago
  Process: 3859 ExecStart=/usr/libexec/ntpdate-wrapper (code=exited, status=0/SUCCESS)
 Main PID: 3859 (code=exited, status=0/SUCCESS)

Sep 06 09:43:30 localhost systemd[1]: Starting Set time via NTP...
Sep 06 09:43:33 localhost systemd[1]: Started Set time via NTP.

Packages work, time from network updated

install ntp & ntpdate from updates_testing

[root@localhost wilcal]# urpmi ntp
Package ntp-4.2.8p12-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi ntpdate
Package ntpdate-4.2.8p12-1.mga6.x86_64 is already installed

reboot system

[root@localhost wilcal]# systemctl stop ntpd
[root@localhost wilcal]# systemctl start ntpdate
[root@localhost wilcal]# systemctl status ntpdate
● ntpdate.service - Set time via NTP
   Loaded: loaded (/usr/lib/systemd/system/ntpdate.service; disabled; vendor preset: enabled)
   Active: active (exited) since Thu 2018-09-06 09:51:56 PDT; 8s ago
  Process: 2912 ExecStart=/usr/libexec/ntpdate-wrapper (code=exited, status=0/SUCCESS)
 Main PID: 2912 (code=exited, status=0/SUCCESS)

Sep 06 09:51:53 localhost systemd[1]: Starting Set time via NTP...
Sep 06 09:51:56 localhost systemd[1]: Started Set time via NTP.

Packages work, time from network updated

Whiteboard: (none) => MGA6-64-OK
CC: (none) => wilcal.int

Comment 4 William Kenney 2018-09-06 19:39:15 CEST

In VirtualBox, M6, Mate, 32-bit

Test procedure per:

https://bugs.mageia.org/show_bug.cgi?id=22978#c9

Package(s) under test:
ntp ntpdata

default install of ntp & ntpdate

[root@localhost wilcal]# urpmi ntp
Package ntp-4.2.8p11-1.1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi ntpdate
Package ntpdate-4.2.8p11-1.1.mga6.i586 is already installed

[root@localhost wilcal]# systemctl stop ntpd
[root@localhost wilcal]# systemctl start ntpdate
[root@localhost wilcal]# systemctl status ntpdate
Job for ntpdate.service failed because the control process exited with error code.
See "systemctl status ntpdate.service" and "journalctl -xe" for details.
[root@localhost wilcal]# systemctl status ntpdate
● ntpdate.service - Set time via NTP
   Loaded: loaded (/usr/lib/systemd/system/ntpdate.service; disabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2018-09-06 10:26:56 PDT; 31s ago
  Process: 4614 ExecStart=/usr/libexec/ntpdate-wrapper (code=exited, status=6)
 Main PID: 4614 (code=exited, status=6)........
 
 Looks like I have a fail to start on this.
 The "journalctl -xe" listing is attached as "ntpdate fail systemctl code"

Comment 5 William Kenney 2018-09-06 19:40:16 CEST

Created attachment 10357 [details]
ntpdate fail systemctl code

Comment 6 David Walser 2018-09-06 22:36:05 CEST

Make sure chronyd is stopped before starting ntpdate.

Comment 7 William Kenney 2018-09-07 01:16:49 CEST

(In reply to David Walser from comment #6)

> Make sure chronyd is stopped before starting ntpdate.

[root@localhost wilcal]# systemctl stop chronyd
[root@localhost wilcal]# systemctl stop ntpd
[root@localhost wilcal]# systemctl start ntpdate
Job for ntpdate.service failed because the control process exited with error code.
See "systemctl status ntpdate.service" and "journalctl -xe" for details.
[root@localhost wilcal]# systemctl status ntpdate
● ntpdate.service - Set time via NTP
   Loaded: loaded (/usr/lib/systemd/system/ntpdate.service; disabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2018-09-06 16:12:34 PDT; 1min 6s ago
  Process: 6495 ExecStart=/usr/libexec/ntpdate-wrapper (code=exited, status=6)
 Main PID: 6495 (code=exited, status=6)

Sep 06 16:12:34 localhost systemd[1]: Starting Set time via NTP...
Sep 06 16:12:34 localhost ntpdate-wrapper[6495]: NTP server not specified in /etc/ntp/step-tickers or /etc/ntp.conf
Sep 06 16:12:34 localhost systemd[1]: ntpdate.service: Main process exited, code=exited, status=6/NOTCONFIGURED
Sep 06 16:12:34 localhost systemd[1]: Failed to start Set time via NTP.
Sep 06 16:12:34 localhost systemd[1]: ntpdate.service: Unit entered failed state.
Sep 06 16:12:34 localhost systemd[1]: ntpdate.service: Failed with result 'exit-code'.

Comment 8 David Walser 2018-09-07 01:19:20 CEST

It tells you the problem right there in the output.  You forgot to configure it.

Comment 9 William Kenney 2018-09-07 01:28:42 CEST

(In reply to David Walser from comment #8)

> It tells you the problem right there in the output.  You forgot to configure
> it.

Why does the 64-bit run without being configured while the32-bit fails.

Comment 10 William Kenney 2018-09-07 01:29:04 CEST

I also have no idea how to configure this.

Comment 11 Len Lawrence 2018-09-07 01:59:59 CEST

This is what happens with the POC:

CVE-2018-12327
https://www.exploit-db.com/exploits/44909/

Before:
# ntpq -4 [`python -c 'print "A" * 300’`]
bash: command substitution: line 1: unexpected EOF while looking for matching `''
bash: command substitution: line 2: syntax error: unexpected end of file
Name or service not known
ntpq> quit

# ntpdc -4 [`python -c 'print "A" * 300'`]
Name or service not known
*** stack smashing detected ***: ntpdc terminated
[...]
7ffebd5f9000-7ffebd5fc000 r--p 00000000 00:00 0                          [vvar]
7ffebd5fc000-7ffebd5fe000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)

Afterwards:
# ntpq -4 [`python -c 'print "A" * 300’`]
Same result as before.
# ntpdc -4 [`python -c 'print "A" * 300'`]
ntpdc: bad hostname/address: Invalid argument
ntpdc> quit

The second test dealt with the exploit cleanly.

CC: (none) => tarazed25

Comment 12 Len Lawrence 2018-09-07 02:30:04 CEST

@wilcal re comment 10.

Just tried the 64-bit after update and ntpdate did not start.  The journal indicated that there was a problem in /etc/ntp/step-tickers.
That file was empty but there was step-tickers.rpmnew so tried copying that.
# cp step-tickers.rpmnew step-tickers
# systemctl start ntpdate
[root@difda ntp]# systemctl status ntpdate
● ntpdate.service - Set time via NTP
   Loaded: loaded (/usr/lib/systemd/system/ntpdate.service; enabled; vendor preset: enabled)
   Active: active (exited) since Fri 2018-09-07 01:26:36 BST; 8s ago
  Process: 20940 ExecStart=/usr/libexec/ntpdate-wrapper (code=exited, status=0/SUCCESS)
 Main PID: 20940 (code=exited, status=0/SUCCESS)

Sep 07 01:26:33 difda systemd[1]: Starting Set time via NTP...
Sep 07 01:26:36 difda systemd[1]: Started Set time via NTP.

So try that.

Comment 13 William Kenney 2018-09-11 18:57:11 CEST

Where do we stand on this?

Whiteboard: MGA6-64-OK => (none)

Comment 14 David Walser 2018-09-11 22:24:26 CEST

It works just fine if you configure it correctly.  /etc/ntp.conf and /etc/ntp/step-tickers are the config files.  I think our drak tools can even still configure it if chrony isn't installed.  I don't understand what your difficulty is.  ntpd hasn't changed in forever.

Whiteboard: (none) => MGA6-64-OK

Comment 15 Len Lawrence 2018-09-12 01:52:25 CEST

+1.  Just go ahead an OK it wilcal.

Comment 16 William Kenney 2018-09-12 01:58:42 CEST

It's outta here. Thanks guys

CC: (none) => sysadmin-bugs
Whiteboard: MGA6-64-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_update

Comment 17 Mageia Robot 2018-09-13 22:39:00 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0371.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.