[FreeBSD-Announce] FreeBSD Security Advisory
FreeBSD-SA-09:03.ntpd
Harlan Stenn
stenn at ntp.org
Tue Jan 13 15:16:32 PST 2009
Good news/bad news.
The good news is that I like to think I did a better job describing this
problem than I have done in the past.
The bad news is that I think I did a pretty sucky job of describing this
problem in our report.
Y'all did a much better job of this than I did.
The NTP Project has had maybe 3 of these sort of issues in the past 15+
years, so I don't have much experience in dealing with writing the
announcements.
Might I be able to work with y'all on any future similar security
advisories so our security announcements are better?
H
--
Harlan Stenn <stenn at ntp.org>
http://ntpforum.isc.org - be a member!
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> =============================================================================
> FreeBSD-SA-09:03.ntpd Security Advisory
> The FreeBSD Project
>
> Topic: ntpd cryptographic signature bypass
>
> Category: contrib
> Module: ntpd
> Announced: 2009-01-13
> Credits: Google Security Team
> Affects: All FreeBSD releases
> Corrected: 2009-01-13 21:19:27 UTC (RELENG_7, 7.1-STABLE)
> 2009-01-13 21:19:27 UTC (RELENG_7_1, 7.1-RELEASE-p2)
> 2009-01-13 21:19:27 UTC (RELENG_7_0, 7.0-RELEASE-p9)
> 2009-01-13 21:19:27 UTC (RELENG_6, 6.4-STABLE)
> 2009-01-13 21:19:27 UTC (RELENG_6_4, 6.4-RELEASE-p3)
> 2009-01-13 21:19:27 UTC (RELENG_6_3, 6.3-RELEASE-p9)
> CVE Name: CVE-2009-0021
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
>
> I. Background
>
> The ntpd daemon is an implementation of the Network Time Protocol
> (NTP) used to synchronize the time of a computer system to a reference
> time source.
>
> FreeBSD includes software from the OpenSSL Project. The OpenSSL
> Project is a collaborative effort to develop a robust,
> commercial-grade, full-featured Open Source toolkit implementing the
> Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
> protocols as well as a full-strength general purpose cryptography
> library.
>
> II. Problem Description
>
> The EVP_VerifyFinal() function from OpenSSL is used to determine if a
> digital signature is valid. When ntpd(8) is set to cryptographically
> authenticate NTP data it incorrectly checks the return value from
> EVP_VerifyFinal().
>
> III. Impact
>
> An attacker which can send NTP packets to ntpd, which uses
> cryptographic authentication of NTP data, may be able to inject
> malicious time data causing the system clock to be set incorrectly.
>
> IV. Workaround
>
> Use IP based restrictions in ntpd itself or in IP firewalls to
> restrict which systems can send NTP packets to ntpd.
>
> NOTE WELL: If ntpd is not explicitly set to use cryptographic
> authentication of NTP data the setup is not vulnerable to the issue
> as described in this Security Advisory.
>
> V. Solution
>
> NOTE WELL: Due to an error in building the updates, this fix is not
> available via freebsd-update at the time of this advisory. We expect
> that this will be fixed within the next 48 hours.
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
> RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch
> dated after the correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 6.3, 6.4,
> 7.0, and 7.1 systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> [FreeBSD 6.4 and 7.1]
> # fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd.patch
> # fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd.patch.asc
>
> [FreeBSD 6.3 and 7.0]
> # fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd63.patch
> # fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd63.patch.asc
>
> b) Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
> # cd /usr/src/usr.sbin/ntp/ntpd
> # make obj && make depend && make && make install
> # /etc/rc.d/ntpd restart
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> CVS:
>
> Branch Revision
> Path
> - -------------------------------------------------------------------------
> RELENG_6
> src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.8.2
> RELENG_6_4
> src/UPDATING 1.416.2.40.2.6
> src/sys/conf/newvers.sh 1.69.2.18.2.9
> src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.8.1.2.1
> RELENG_6_3
> src/UPDATING 1.416.2.37.2.14
> src/sys/conf/newvers.sh 1.69.2.15.2.13
> src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.20.1
> RELENG_7
> src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.18.2
> RELENG_7_1
> src/UPDATING 1.507.2.13.2.5
> src/sys/conf/newvers.sh 1.72.2.9.2.6
> src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.18.1.2.1
> RELENG_7_0
> src/UPDATING 1.507.2.3.2.13
> src/sys/conf/newvers.sh 1.72.2.5.2.13
> src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.22.1
> - -------------------------------------------------------------------------
>
> Subversion:
>
> Branch/path Revision
> - -------------------------------------------------------------------------
> stable/6/ r187194
> releng/6.4/ r187194
> releng/6.3/ r187194
> stable/7/ r187194
> releng/7.1/ r187194
> releng/7.0/ r187194
> - -------------------------------------------------------------------------
>
> VII. References
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0021
> http://security.FreeBSD.org/advisories/FreeBSD-SA-09:02.openssl.asc
>
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-09:03.ntpd.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (FreeBSD)
>
> iD8DBQFJbRUfFdaIBMps37IRAqdjAJ42YSH0bjaAJBEVyMM7/em/tu0xUQCfVPrs
> IrH0Qxo4slvboQHsy1PbkN4=
> =Q4rn
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-announce at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
> To unsubscribe, send any mail to "freebsd-announce-unsubscribe at freebsd.org"
More information about the freebsd-security
mailing list