ArchLinux: 201803-11: ntp: multiple issues
Summary
- CVE-2016-1549 (content spoofing)
A malicious authenticated peer can create arbitrarily-many ephemeral
associations in order to win the clock selection algorithm in ntpd in
NTP 4.2.8p4 and earlier and NTPsec
3e160db8dc248a0bcb053b56a80167dc742d2b74 and
a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim's clock.
- CVE-2018-7170 (content spoofing)
ntpd can be vulnerable to Sybil attacks. If a system is set up to use a
trustedkey and if one is not using the feature introduced in
ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to
specify which IPs can serve time, a malicious authenticated peer --i.e. one where the attacker knows the private symmetric key -- can
create arbitrarily-many ephemeral associations in order to win the
clock selection of ntpd and modify a victim's clock.
- CVE-2018-7182 (denial of service)
ctl_getitem() is used by ntpd to process incoming mode 6 packets. A
malicious mode 6 packet can be sent to an ntpd instance, and if the
ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will cause
ctl_getitem() to read past the end of its buffer.
- CVE-2018-7183 (arbitrary code execution)
ntpq is a monitoring and control program for ntpd. decodearr() is an
internal function of ntpq that is used to -- wait for it -- decode an
array in a response string when formatted data is being displayed. This
is a problem in affected versions of ntpq if a maliciously-altered ntpd
returns an array result that will trip this bug, or if a bad actor is
able to read an ntpq request on its way to a remote ntpd server and
forge and send a response before the remote ntpd sends its response.
It's potentially possible that the malicious data could become
injectable/executable code.
- CVE-2018-7184 (denial of service)
The fix for NtpBug2952 was incomplete, and while it fixed one problem
it created another. Specifically, it drops bad packets before updating
the "received" timestamp. This means a third-party can inject a packet
with a zero-origin timestamp, meaning the sender wants to reset the
association, and the transmit timestamp in this bogus packet will be
saved as the most recent "received" timestamp. The real remote peer
does not know this value and this will disrupt the association until
the association resets.
- CVE-2018-7185 (denial of service)
The NTP Protocol allows for both non-authenticated and authenticated
associations, in client/server, symmetric (peer), and several broadcast
modes. In addition to the basic NTP operational modes, symmetric mode
and broadcast servers can support an interleaved mode of operation. In
ntp-4.2.8p4 a bug was inadvertently introduced into the protocol engine
that allows a non-authenticated zero-origin (reset) packet to reset an
authenticated interleaved peer association. If an attacker can send a
packet with a zero-origin timestamp and the source IP address of the
"other side" of an interleaved association, the 'victim' ntpd will
reset its association. The attacker must continue sending these packets
in order to maintain the disruption of the association. In ntp-4.0.0
thru ntp-4.2.8p6, interleave mode could be entered dynamically. As of
ntp-4.2.8p7, interleaved mode must be explicitly configured/enabled.
Resolution
Upgrade to 4.2.8.p11-1.
# pacman -Syu "ntp>=4.2.8.p11-1"
The problems have been fixed upstream in version 4.2.8.p11.
References
https://www.ntp.org/support/securitynotice/ntpbug3012/ https://www.ntp.org/support/securitynotice/ntpbug3415/ https://www.ntp.org/support/securitynotice/ntpbug3412/ https://www.ntp.org/support/securitynotice/ntpbug3414/ https://www.ntp.org/support/securitynotice/ntpbug3453/ https://www.ntp.org/support/securitynotice/ntpbug3454/ https://security.archlinux.org/CVE-2016-1549 https://security.archlinux.org/CVE-2018-7170 https://security.archlinux.org/CVE-2018-7182 https://security.archlinux.org/CVE-2018-7183 https://security.archlinux.org/CVE-2018-7184 https://security.archlinux.org/CVE-2018-7185
Workaround
None.