Opened 9 years ago
Closed 9 years ago
#6111 closed enhancement (fixed)
ntp-4.2.8p1
| Reported by: | Fernando de Oliveira | Owned by: | Fernando de Oliveira |
|---|---|---|---|
| Priority: | high | Milestone: | 7.7 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p1.tar.gz
http://bk1.ntp.org/ntp-stable/NEWS?PAGE=cat&REV=54d1c740Z7zZXeitXmc7eEWlMi9U1w
NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
Focus: Security and Bug fixes, enhancements.
Severity: HIGH
In addition to bug fixes and enhancements, this release fixes the
following high-severity vulnerabilities:
* vallen is not validated in several places in ntp_crypto.c, leading
to a potential information leak or possibly a crash
References: Sec 2671 / CVE-2014-9297 / VU#852879
Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
Date Resolved: Stable (4.2.8p1) 04 Feb 2015
Summary: The vallen packet value is not validated in several code
paths in ntp_crypto.c which can lead to information leakage
or perhaps a crash of the ntpd process.
Mitigation - any of:
Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
Disable Autokey Authentication by removing, or commenting out,
all configuration directives beginning with the "crypto"
keyword in your ntp.conf file.
Credit: This vulnerability was discovered by Stephen Roettger of the
Google Security Team, with additional cases found by Sebastian
Krahmer of the SUSE Security Team and Harlan Stenn of Network
Time Foundation.
* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
can be bypassed.
References: Sec 2672 / CVE-2014-9298 / VU#852879
Affects: All NTP4 releases before 4.2.8p1, under at least some
versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
Date Resolved: Stable (4.2.8p1) 04 Feb 2014
Summary: While available kernels will prevent 127.0.0.1 addresses
from "appearing" on non-localhost IPv4 interfaces, some kernels
do not offer the same protection for ::1 source addresses on
IPv6 interfaces. Since NTP's access control is based on source
address and localhost addresses generally have no restrictions,
an attacker can send malicious control and configuration packets
by spoofing ::1 addresses from the outside. Note Well: This is
not really a bug in NTP, it's a problem with some OSes. If you
have one of these OSes where ::1 can be spoofed, ALL ::1 -based
ACL restrictions on any application can be bypassed!
Mitigation:
Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Install firewall rules to block packets claiming to come from
::1 from inappropriate network interfaces.
Credit: This vulnerability was discovered by Stephen Roettger of
the Google Security Team.
Additionally, over 30 bugfixes and improvements were made to the codebase.
See the ChangeLog for more information.
Change History (2)
comment:1 by , 9 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 9 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Fixed at r15454.