[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-09:03.ntpd

Tue Jan 13 15:16:32 PST 2009

Good news/bad news.

The good news is that I like to think I did a better job describing this
problem than I have done in the past.

The bad news is that I think I did a pretty sucky job of describing this
problem in our report.

Y'all did a much better job of this than I did.

The NTP Project has had maybe 3 of these sort of issues in the past 15+
years, so I don't have much experience in dealing with writing the
announcements.

Might I be able to work with y'all on any future similar security
advisories so our security announcements are better?

H
-- 
Harlan Stenn <stenn at ntp.org>
http://ntpforum.isc.org  - be a member!
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> =============================================================================
> FreeBSD-SA-09:03.ntpd                                       Security Advisory
>                                                           The FreeBSD Project
> 
> Topic:          ntpd cryptographic signature bypass
> 
> Category:       contrib
> Module:         ntpd
> Announced:      2009-01-13
> Credits:        Google Security Team
> Affects:        All FreeBSD releases
> Corrected:      2009-01-13 21:19:27 UTC (RELENG_7, 7.1-STABLE)
>                 2009-01-13 21:19:27 UTC (RELENG_7_1, 7.1-RELEASE-p2)
>                 2009-01-13 21:19:27 UTC (RELENG_7_0, 7.0-RELEASE-p9)
>                 2009-01-13 21:19:27 UTC (RELENG_6, 6.4-STABLE)
>                 2009-01-13 21:19:27 UTC (RELENG_6_4, 6.4-RELEASE-p3)
>                 2009-01-13 21:19:27 UTC (RELENG_6_3, 6.3-RELEASE-p9)
> CVE Name:       CVE-2009-0021
> 
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
> 
> I.   Background
> 
> The ntpd daemon is an implementation of the Network Time Protocol
> (NTP) used to synchronize the time of a computer system to a reference
> time source.
> 
> FreeBSD includes software from the OpenSSL Project.  The OpenSSL
> Project is a collaborative effort to develop a robust,
> commercial-grade, full-featured Open Source toolkit implementing the
> Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
> protocols as well as a full-strength general purpose cryptography
> library.
> 
> II.  Problem Description
> 
> The EVP_VerifyFinal() function from OpenSSL is used to determine if a
> digital signature is valid.  When ntpd(8) is set to cryptographically
> authenticate NTP data it incorrectly checks the return value from
> EVP_VerifyFinal().
> 
> III. Impact
> 
> An attacker which can send NTP packets to ntpd, which uses
> cryptographic authentication of NTP data, may be able to inject
> malicious time data causing the system clock to be set incorrectly.
> 
> IV.  Workaround
> 
> Use IP based restrictions in ntpd itself or in IP firewalls to
> restrict which systems can send NTP packets to ntpd.
> 
> NOTE WELL: If ntpd is not explicitly set to use cryptographic
> authentication of NTP data the setup is not vulnerable to the issue
> as described in this Security Advisory.
> 
> V.   Solution
> 
> NOTE WELL: Due to an error in building the updates, this fix is not
> available via freebsd-update at the time of this advisory.  We expect
> that this will be fixed within the next 48 hours.
> 
> Perform one of the following:
> 
> 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
> RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch
> dated after the correction date.
> 
> 2) To patch your present system:
> 
> The following patches have been verified to apply to FreeBSD 6.3, 6.4,
> 7.0, and 7.1 systems.
> 
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
> 
> [FreeBSD 6.4 and 7.1]
> # fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd.patch
> # fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd.patch.asc
> 
> [FreeBSD 6.3 and 7.0]
> # fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd63.patch
> # fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd63.patch.asc
> 
> b) Execute the following commands as root:
> 
> # cd /usr/src
> # patch < /path/to/patch
> # cd /usr/src/usr.sbin/ntp/ntpd
> # make obj && make depend && make && make install
> # /etc/rc.d/ntpd restart
> 
> VI.  Correction details
> 
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
> 
> CVS:
> 
> Branch                                                           Revision
>   Path
> - -------------------------------------------------------------------------
> RELENG_6
>   src/contrib/ntp/ntpd/ntp_crypto.c                           1.1.1.3.8.2
> RELENG_6_4
>   src/UPDATING                                             1.416.2.40.2.6
>   src/sys/conf/newvers.sh                                   1.69.2.18.2.9
>   src/contrib/ntp/ntpd/ntp_crypto.c                       1.1.1.3.8.1.2.1
> RELENG_6_3
>   src/UPDATING                                            1.416.2.37.2.14
>   src/sys/conf/newvers.sh                                  1.69.2.15.2.13
>   src/contrib/ntp/ntpd/ntp_crypto.c                          1.1.1.3.20.1
> RELENG_7
>   src/contrib/ntp/ntpd/ntp_crypto.c                          1.1.1.3.18.2
> RELENG_7_1
>   src/UPDATING                                             1.507.2.13.2.5
>   src/sys/conf/newvers.sh                                    1.72.2.9.2.6
>   src/contrib/ntp/ntpd/ntp_crypto.c                      1.1.1.3.18.1.2.1
> RELENG_7_0
>   src/UPDATING                                             1.507.2.3.2.13
>   src/sys/conf/newvers.sh                                   1.72.2.5.2.13
>   src/contrib/ntp/ntpd/ntp_crypto.c                          1.1.1.3.22.1
> - -------------------------------------------------------------------------
> 
> Subversion:
> 
> Branch/path                                                      Revision
> - -------------------------------------------------------------------------
> stable/6/                                                         r187194
> releng/6.4/                                                       r187194
> releng/6.3/                                                       r187194
> stable/7/                                                         r187194
> releng/7.1/                                                       r187194
> releng/7.0/                                                       r187194
> - -------------------------------------------------------------------------
> 
> VII. References
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0021
> http://security.FreeBSD.org/advisories/FreeBSD-SA-09:02.openssl.asc
> 
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-09:03.ntpd.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (FreeBSD)
> 
> iD8DBQFJbRUfFdaIBMps37IRAqdjAJ42YSH0bjaAJBEVyMM7/em/tu0xUQCfVPrs
> IrH0Qxo4slvboQHsy1PbkN4=
> =Q4rn
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-announce at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
> To unsubscribe, send any mail to "freebsd-announce-unsubscribe at freebsd.org"