Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <55DC3431.6000008@redhat.com>
Date: Tue, 25 Aug 2015 11:24:01 +0200
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Several low impact ntp.org ntpd issues

Miroslav Lichvár found several low-impact security issues in our ntp
branch, most of which have already been addressed upstream without
noting their security impact.

The first three issues require authentication.  Considering the low
impact and the availability of upstream fixes for most of the issues,
we'd like to make the issues public as soon as possible, unless there
are any objections.

(Impact may be higher if ntpd runs with root privileges.)

* CVE-2015-5194
https://bugzilla.redhat.com/show_bug.cgi?id=1254542

It was found that ntpd could crash due to an uninitialized variable when
processing malformed logconfig configuration commands, for example:

ntpq -c ":config logconfig a"

Upstream fix:

<http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=4c4fc141LwvcoGp-lLGhkAFp3ZvtrA>
<https://github.com/ntp-project/ntp/commit/553f2fa65865c31c5e3c48812cfd46176cffdd27>

* CVE-2015-5195
https://bugzilla.redhat.com/show_bug.cgi?id=1254544

It was found that ntpd exits with a segmentation fault when a statistics
type that was not enabled during compilation (e.g. timingstats) is
referenced by the statistics or filegen configuration command, for example:

ntpq -c ':config statistics timingstats'
ntpq -c ':config filegen timingstats'

Upstream fix:

<http://bk.ntp.org/ntp-dev/?PAGE=patch&REV=4d253ed0A400LyhRQIV0u23NJwuGAA>
<https://github.com/ntp-project/ntp/commit/52e977d79a0c4ace997e5c74af429844da2f27be>

* CVE-2015-5196
https://bugzilla.redhat.com/show_bug.cgi?id=1254547

It was found that the :config command can be used to set the pidfile and
driftfile paths without any restrictions. A remote attacker could use
this flaw to overwrite a file on the file system with a file containing
the pid of the ntpd process (immediately) or the current estimated drift
of the system clock (in hourly intervals). For example:

ntpq -c ':config pidfile /tmp/ntp.pid'
ntpq -c ':config driftfile /tmp/ntp.drift'

No upstream fix, but Miroslav wrote the attached patch.

* CVE-2015-5219
https://bugzilla.redhat.com/show_bug.cgi?id=1255118

It was discovered that sntp would hang in an infinite loop when a
crafted NTP packet was received, related to the conversion of the
precision value in the packet to double.

Upstream fix:

http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=51786731Gr4-NOrTBC_a_uXO4wuGhg
https://github.com/ntp-project/ntp/commit/5f295cd05c3c136d39f5b3e500a2d781bdbb59c8


(Reported to the distros list and upstream last week, no request for an
embargo, hence public disclosure.)

-- 
Florian Weimer / Red Hat Product Security


View attachment "ntp-remotewrite.patch" of type "text/x-patch" (1727 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.