FreeBSD Security Advisory FreeBSD-SA-15:25.ntp
Gary Palmer
gpalmer at freebsd.org
Mon Oct 26 15:59:17 UTC 2015
Hi,
Anyone else done the update on FreeBSD 9.3? After rebuilding the world
I'm getting an error when running ntpdc or ntpq
% ntpdc -np
/usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/lib/isc/unix/net.c:221: fatal error: RUNTIME_CHECK(((pthread_once((&once), (initialize_action)) == 0) ? 0 : 34) == 0) failed
Abort
Thanks,
Gary
On Mon, Oct 26, 2015 at 12:36:02PM +0000, FreeBSD Security Advisories wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> =============================================================================
> FreeBSD-SA-15:25.ntp Security Advisory
> The FreeBSD Project
>
> Topic: Multiple vulnerabilities of ntp
>
> Category: contrib
> Module: ntp
> Announced: 2015-10-26
> Credits: Network Time Foundation
> Affects: All supported versions of FreeBSD.
> Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE)
> 2015-10-26 11:36:55 UTC (releng/10.2, 10.2-RELEASE-p6)
> 2015-10-26 11:37:31 UTC (releng/10.1, 10.1-RELEASE-p23)
> 2015-10-26 11:36:40 UTC (stable/9, 9.3-STABLE)
> 2015-10-26 11:42:25 UTC (releng/9.3, 9.3-RELEASE-p29)
> CVE Name: CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704,
> CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851,
> CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855,
> CVE-2015-7871
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit https://security.FreeBSD.org/.
>
> I. Background
>
> The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
> used to synchronize the time of a computer system to a reference time
> source.
>
> II. Problem Description
>
> Crypto-NAK packets can be used to cause ntpd(8) to accept time from an
> unauthenticated ephemeral symmetric peer by bypassing the authentication
> required to mobilize peer associations. [CVE-2015-7871] FreeBSD 9.3 and
> 10.1 are not affected.
>
> If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusual
> long data value where a network address is expected, the decodenetnum()
> function will abort with an assertion failure instead of simply returning
> a failure condition. [CVE-2015-7855]
>
> If ntpd(8) is configured to allow remote configuration, and if the
> (possibly spoofed) source IP address is allowed to send remote
> configuration requests, and if the attacker knows the remote
> configuration password or if ntpd(8) was configured to disable
> authentication, then an attacker can send a set of packets to ntpd(8) that
> may cause it to crash, with the hypothetical possibility of a small code
> injection. [CVE-2015-7854]
>
> A negative value for the datalen parameter will overflow a data buffer.
> NTF's ntpd(8) driver implementations always set this value to 0 and are
> therefore not vulnerable to this weakness. If you are running a custom
> refclock driver in ntpd(8) and that driver supplies a negative value for
> datalen (no custom driver of even minimal competence would do this)
> then ntpd would overflow a data buffer. It is even hypothetically
> possible in this case that instead of simply crashing ntpd the
> attacker could effect a code injection attack. [CVE-2015-7853]
>
> If an attacker can figure out the precise moment that ntpq(8) is listening
> for data and the port number it is listening on or if the attacker can
> provide a malicious instance ntpd(8) that victims will connect to then an
> attacker can send a set of crafted mode 6 response packets that, if
> received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852]
>
> If ntpd(8) is configured to allow remote configuration, and if the
> (possibly spoofed) IP address is allowed to send remote configuration
> requests, and if the attacker knows the remote configuration password
> or if ntpd(8) was configured to disable authentication, then an attacker
> can send a set of packets to ntpd that may cause ntpd(8) to overwrite
> files. [CVE-2015-7851]. The default configuration of ntpd(8) within
> FreeBSD does not allow remote configuration.
>
> If ntpd(8) is configured to allow remote configuration, and if the
> (possibly spoofed) source IP address is allowed to send remote
> configuration requests, and if the attacker knows the remote
> configuration password or if ntpd(8) was configured to disable
> authentication, then an attacker can send a set of packets to ntpd
> that will cause it to crash and/or create a potentially huge log
> file. Specifically, the attacker could enable extended logging,
> point the key file at the log file, and cause what amounts to an
> infinite loop. [CVE-2015-7850]. The default configuration of ntpd(8)
> within FreeBSD does not allow remote configuration.
>
> If ntpd(8) is configured to allow remote configuration, and if the
> (possibly spoofed) source IP address is allowed to send remote
> configuration requests, and if the attacker knows the remote
> configuration password or if ntpd was configured to disable
> authentication, then an attacker can send a set of packets to
> ntpd that may cause a crash or theoretically perform a code
> injection attack. [CVE-2015-7849]. The default configuration of ntpd(8)
> within FreeBSD does not allow remote configuration.
>
> If ntpd(8) is configured to enable mode 7 packets, and if the use
> of mode 7 packets is not properly protected thru the use of the
> available mode 7 authentication and restriction mechanisms, and
> if the (possibly spoofed) source IP address is allowed to send
> mode 7 queries, then an attacker can send a crafted packet to
> ntpd that will cause it to crash. [CVE-2015-7848]. The default
> configuration of ntpd(8) within FreeBSD does not allow mode 7
> packets.
>
> If ntpd(8) is configured to use autokey, then an attacker can send
> packets to ntpd that will, after several days of ongoing attack,
> cause it to run out of memory. [CVE-2015-7701]. The default
> configuration of ntpd(8) within FreeBSD does not use autokey.
>
> If ntpd(8) is configured to allow for remote configuration, and if
> the (possibly spoofed) source IP address is allowed to send
> remote configuration requests, and if the attacker knows the
> remote configuration password, it's possible for an attacker
> to use the "pidfile" or "driftfile" directives to potentially
> overwrite other files. [CVE-2015-5196]. The default configuration
> of ntpd(8) within FreeBSD does not allow remote configuration
>
> An ntpd(8) client that honors Kiss-of-Death responses will honor
> KoD messages that have been forged by an attacker, causing it
> to delay or stop querying its servers for time updates. Also,
> an attacker can forge packets that claim to be from the target
> and send them to servers often enough that a server that
> implements KoD rate limiting will send the target machine a
> KoD response to attempt to reduce the rate of incoming packets,
> or it may also trigger a firewall block at the server for
> packets from the target machine. For either of these attacks
> to succeed, the attacker must know what servers the target
> is communicating with. An attacker can be anywhere on the
> Internet and can frequently learn the identity of the target's
> time source by sending the target a time query. [CVE-2015-7704]
>
> The fix for CVE-2014-9750 was incomplete in that there were
> certain code paths where a packet with particular autokey
> operations that contained malicious data was not always being
> completely validated. Receipt of these packets can cause ntpd
> to crash. [CVE-2015-7702]. The default configuration of ntpd(8)
> within FreeBSD does not use autokey.
>
> III. Impact
>
> An attacker which can send NTP packets to ntpd(8), which uses cryptographic
> authentication of NTP data, may be able to inject malicious time data
> causing the system clock to be set incorrectly. [CVE-2015-7871]
>
> An attacker which can send NTP packets to ntpd(8), can block the
> communication of the daemon with time servers, causing the system
> clock not being synchronized. [CVE-2015-7704]
>
> An attacker which can send NTP packets to ntpd(8), can remotely crash
> the daemon, sending malicious data packet. [CVE-2015-7855] [CVE-2015-7854]
> [CVE-2015-7853] [CVE-2015-7852] [CVE-2015-7849] [CVE-2015-7848]
>
> An attacker which can send NTP packets to ntpd(8), can remotely
> trigger the daemon to overwrite its configuration files. [CVE-2015-7851]
> [CVE-2015-5196]
>
> IV. Workaround
>
> No workaround is available, but systems not running ntpd(8) are not
> affected. Network administrators are advised to implement BCP-38,
> which helps to reduce risk associated with the attacks.
>
> V. Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
>
> The ntpd service has to be restarted after the update. A reboot is
> recommended but not required.
>
> 2) To update your vulnerable system via a binary patch:
>
> Systems running a RELEASE version of FreeBSD on the i386 or amd64
> platforms can be updated via the freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install
>
> The ntpd service has to be restarted after the update. A reboot is
> recommended but not required.
>
> 3) To update your vulnerable system via a source code patch:
>
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> [FreeBSD 10.2]
> # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.bz2
> # bunzip2 ntp-102.patch.bz2
> # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.asc
> # gpg --verify ntp-102.patch.asc
>
> [FreeBSD 10.1]
> # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.bz2
> # bunzip2 ntp-101.patch.bz2
> # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.asc
> # gpg --verify ntp-101.patch.asc
>
> [FreeBSD 9.3]
> # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.bz2
> # bunzip2 ntp-93.patch.bz2
> # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.asc
> # gpg --verify ntp-93.patch.asc
>
> b) Apply the patch. Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
> # find contrib/ntp -type f -empty -delete
>
> c) Recompile the operating system using buildworld and installworld as
> described in https://www.FreeBSD.org/handbook/makeworld.html.
>
> d) For 9.3-RELEASE and 10.1-RELEASE an update to /etc/ntp.conf is recommended,
> which can be done with help of the mergemaster(8) tool on 9.3-RELEASE and
> with help of the etcupdate(8) tool on 10.1-RELEASE.
>
> Restart the ntpd(8) daemon, or reboot the system.
>
> VI. Correction details
>
> The following list contains the correction revision numbers for each
> affected branch.
>
> Branch/path Revision
> - -------------------------------------------------------------------------
> stable/9/ r289998
> releng/9.3/ r290001
> stable/10/ r289997
> releng/10.1/ r290000
> releng/10.2/ r289999
> - -------------------------------------------------------------------------
>
> To see which files were modified by a particular revision, run the
> following command, replacing NNNNNN with the revision number, on a
> machine with Subversion installed:
>
> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
>
> Or visit the following URL, replacing NNNNNN with the revision number:
>
> https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN
>
> VII. References
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871
>
> The latest revision of this advisory is available at
> https://security.FreeBSD.org/advisories/FreeBSD-SA-15:25.ntp.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBAgAGBQJWLhOJAAoJEO1n7NZdz2rn91wP/2GwEt1boNQq2a7nYzv/mS5D
> sYKkIi7o+2yr2BLXvtc3O7c9QC3/YeGsza9DTRqndcY572SWvRgtkFstMTTm8IV/
> RVlIE40gVR3tex0zo7BiD7uKUrxWxWcpwMbE5dzlE+vSybyyj0dSSkwUHJjrbJoA
> RmyNuEEUhQn5sRCg6qJv/PLp2G7BcYAasKScukjm7QnLP2kq/tvM9mcqwfh2tadM
> 7kbf8uq+ykvsRzctaDnxQaB5+zJxBQYJjBelxQfIkNek0XGfdj3sRwISeFznbllq
> mOLTIBaFiuEtHtusO7MKKavMgS5CQJOvuuvd/l3NY1MnxC6X/1SWig9KIKDIn/hv
> q8dsnq7LLx+tO6Cv4Dub7EbC2ZP3xXGOC4Ie02z8bTZnbX7iwyPUidQQqtU9ra15
> rxzFcZnBxu+yyMNJVsV2qVV/r9OycgKxWlEELC1wYrK9fKfvLdA5aEGjDeU1Z+s6
> JS2zKr0t4F2bMrCsjYP1lQD8sHkCVjwJk+IJU/slcwSajDjBNlMH0yBxGYE1ETIZ
> qMF7/PAkLe8V78pdYmXw9pcaPyhI+ihPLnNrdhX8AI2RX5jDK7IuUNJeUM04UrVB
> 8N+mMwgamcuCPWNNyXaL0bz21fexZOuhHmU+B8Yn3SFX5O5b/r9gGvrjo8ei8jOk
> EUlBT3ViDhHNrI7PTaiI
> =djPm
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security-notifications at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
> To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe at freebsd.org"
>
More information about the freebsd-security
mailing list