Opened 10 years ago
Closed 10 years ago
#6379 closed enhancement (fixed)
ntp-4.2.8p2
Reported by: | Fernando de Oliveira | Owned by: | Fernando de Oliveira |
---|---|---|---|
Priority: | high | Milestone: | 7.8 |
Component: | BOOK | Version: | SVN |
Severity: | normal | Keywords: | |
Cc: |
Description (last modified by ) ¶
https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p2.tar.gz
Not yet announced, but the relese, yesterday, was planned:
http://lists.ntp.org/pipermail/announce/2015-April/000124.html
Update: News better to read at (txt):
http://bk1.ntp.org/ntp-stable/NEWS?PAGE=cat&REV=55238dcfGZNu25GhPofHJav8Hz9EvQ
April 2015 NTP Security Vulnerability Announcement
http://support.ntp.org/bin/view/Main/SecurityNotice#April_2015_NTP_Security_Vulnerab
Partially reproduced below
April 2015 NTP Security Vulnerability Announcement NTF's NTP Project has been notified of two vulnerabilities in the processing of crafted packets using private key authentication. These issues were discovered and reported by Miroslav Lichvar of Red Hat. Bug 2279: ntpd accepts unauthenticated packets with symmetric key crypto. Bug 2281: Authentication doesn't protect symmetric associations against DoS attacks. CERT and Mitre have been notified, and CVE/VU numbers have been assigned. NTP Consortium members at the Partner and Premier levels received access to patches that resolve these issues on 22 March 2015. These issues (along with other bugfixes and improvements) will be released on 7 April 2015 in ntp-4.2.8p2 . Timeline: 150407: ntp-4.2.8p2 released. 150329: pre-release patch availability announced to CERT. 150323: CERT assigns VU#374268 to these issues. 150322: pre-release patches sent to authorized NTP Consortium members. 150317: CVSS scoring collaboration requested. 150317: CERT notified. 150316: Red Hat provides CVE-2015-1798 for NtpBug2779 , and CVE-2015-2781 for NtpBug2781 . 150315: Advance notification sent to authorized NTP Consortium members. 150315: Mitre tells us to get the CVE numbers from Red Hat. 150313: CVE numbers requested from Mitre. 150306: Initial notification of 2779 and 2781. Analysis begins. ntpd accepts unauthenticated packets with symmetric key crypto. References: Sec 2779 / CVE-2015-1798 / VU#374268 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not including ntp-4.2.8p2 where the installation uses symmetric keys to authenticate remote associations. CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 ... Mitigation: Upgrade to 4.2.8p2, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page Configure ntpd with enough time sources and monitor it properly. Authentication doesn't protect symmetric associations against DoS attacks. References: Sec 2781 / CVE-2015-1799 / VU#374268 Affects: All NTP releases starting with at least xntp3.3wy up to but not including ntp-4.2.8p2 where the installation uses symmetric key authentication. CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 Note: the CVSS base Score for this issue could be 4.3 or lower, and it could be higher than 5.4. ... Mitigation: Upgrade to 4.2.8p2, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page Note that for users of autokey, this specific style of MITM attack is simply a long-known potential problem. Configure ntpd with appropriate time sources and monitor ntpd. Alert your staff if problems are detected.
Change History (4)
comment:1 by , 10 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 10 years ago
Description: | modified (diff) |
---|
comment:3 by , 10 years ago
comment:4 by , 10 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Almost fixed at r15809.
It is recommended by the ntp developers that a cron job with three week frequency be created to update the leap-second definition file, with the new script update-leap.
They also recommend that for cron-friendly behavior, define CRONJOB=1 in the crontab.
I couldn't understand this sentence, even after searching in the internet and in the man pages..
Someone please, fix this and the text I've included in the configuration section, if necessary, perhaps including the necessary crontab lines, as we do in other pages.
Due to the medium security severity, I decided to update the page without further research or discussion.
Thanks.
I have been searching about the ntp checks and it seems that they are intended for its developers.
Going to replace ... make check ... by
This package does not come with a useful test suite.
Reason is it only pass through several directories and writes the message:
Nothing to be done for 'check-something'
before leaving each directory, exception for two checks.
First one:
where apparently set RLIMIT_MEMLOCK needs root privilege and don't think it is wise to allow it.
Second exception:
doesn't seem relevant.
Please, if someone thinks otherwise, please, either tell em or revert what I will do (also, please, give some explanation so people like me would learn from).