FreeBSD Security Advisory FreeBSD-SA-18:02.ntp
Gordon Tetlow
gordon at tetlows.org
Wed Mar 7 15:13:16 UTC 2018
Sorry about that. I thought I had everything but I missed that piece. They should be coming shortly.
That said, I’m seeing reports of the ipsec patches for 10.x not compiling. Will look into that shortly.
Gordon
> On Mar 7, 2018, at 06:40, Philip M. Gollucci <pgollucci at p6m7g8.com> wrote:
>
> The links are 404ing
>
> On Wed, Mar 7, 2018 at 2:10 AM, FreeBSD Security Advisories <
> security-advisories at freebsd.org> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> ============================================================
>> =================
>> FreeBSD-SA-18:02.ntp Security
>> Advisory
>> The FreeBSD
>> Project
>>
>> Topic: Multiple vulnerabilities of ntp
>>
>> Category: contrib
>> Module: ntp
>> Announced: 2018-03-07
>> Credits: Network Time Foundation
>> Affects: All supported versions of FreeBSD.
>> Corrected: 2018-02-28 09:01:03 UTC (stable/11, 11.1-STABLE)
>> 2018-03-07 05:58:24 UTC (releng/11.1, 11.1-RELEASE-p7)
>> 2018-03-01 04:06:49 UTC (stable/10, 10.4-STABLE)
>> 2018-03-07 05:58:24 UTC (releng/10.4, 10.4-RELEASE-p6)
>> 2018-03-07 05:58:24 UTC (releng/10.3, 10.3-RELEASE-p27)
>> CVE Name: CVE-2018-7182, CVE-2018-7170, CVE-2018-7184, CVE-2018-7185,
>> CVE-2018-7183
>>
>> For general information regarding FreeBSD Security Advisories,
>> including descriptions of the fields above, security branches, and the
>> following sections, please visit <URL:https://security.FreeBSD.org/>.
>>
>> I. Background
>>
>> The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
>> used to synchronize the time of a computer system to a reference time
>> source.
>>
>> II. Problem Description
>>
>> The ctl_getitem() function is used by ntpd(8) to process incoming "mode 6"
>> packets. A malicious "mode 6" packet can be sent to an ntpd instance, and
>> if the ntpd instance is from 4.2.8p6 through 4.2.8p10, ctl_getitem() will
>> read past the end of its buffer. [CVE-2018-7182]
>>
>> The ntpd(8) service can be vulnerable to Sybil attacks. If a system is
>> configured to use a trustedkey and if one is not using the feature
>> introduced
>> in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to
>> specify
>> which IPs can serve time, a malicious authenticated peer, i.e., one where
>> the
>> attacker knows the private symmetric key, can create arbitrarily-many
>> ephemeral associations in order to win the clock selection of ntpd and
>> modify
>> a victim's clock. [CVE-2018-7170]
>>
>> The fix for NtpBug2952 was incomplete, and while it fixed one problem it
>> created another. Specifically, it drops bad packets before updating the
>> "received" timestamp. This means a third-party can inject a packet with
>> a zero-origin timestamp, meaning the sender wants to reset the association,
>> and the transmit timestamp in this bogus packet will be saved as the most
>> recent "received" timestamp. The real remote peer does not know this
>> value and this will disrupt the association until the association resets.
>> [CVE-2018-7184]
>>
>> The NTP Protocol allows for both non-authenticated and authenticated
>> associations, in client/server, symmetric (peer), and several broadcast
>> modes. In addition to the basic NTP operational modes, symmetric mode and
>> broadcast servers can support an interleaved mode of operation. In
>> ntp-4.2.8p4, a bug was inadvertently introduced into the protocol engine
>> that
>> allows a non-authenticated zero-origin (reset) packet to reset an
>> authenticated interleaved peer association. If an attacker can send a
>> packet
>> with a zero-origin timestamp and the source IP address of the "other side"
>> of
>> an interleaved association, the 'victim' ntpd will reset its association.
>> The attacker must continue sending these packets in order to maintain the
>> disruption of the association. [CVE-2018-7185]
>>
>> The ntpq(8) utility is a monitoring and control program for ntpd. The
>> internal decodearr() function of ntpq(8) that is used to decode an array in
>> a response string when formatted data is being displayed. This is a
>> problem
>> in affected versions of ntpq if a maliciously-altered ntpd returns an array
>> result that will trip this bug, or if a bad actor is able to read an
>> ntpq(8)
>> request on its way to a remote ntpd server and forge and send a response
>> before the remote ntpd sends its response. It is potentially possible that
>> the malicious data could become injectable/executable code. [CVE-2017-7183]
>>
>> III. Impact
>>
>> Malicious remote attackers may be able to break time synchornization,
>> or cause the ntpq(8) utility to crash.
>>
>> IV. Workaround
>>
>> No workaround is available, but systems not running ntpd(8) or ntpq(8) are
>> not affected. Network administrators are advised to implement BCP-38 which
>> helps to reduce risk associated with the attacks.
>>
>> V. Solution
>>
>> Perform one of the following:
>>
>> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
>> release / security branch (releng) dated after the correction date.
>>
>> The ntpd service has to be restarted after the update. A reboot is
>> recommended but not required.
>>
>> 2) To update your vulnerable system via a binary patch:
>>
>> Systems running a RELEASE version of FreeBSD on the i386 or amd64
>> platforms can be updated via the freebsd-update(8) utility:
>>
>> # freebsd-update fetch
>> # freebsd-update install
>>
>> The ntpd service has to be restarted after the update. A reboot is
>> recommended but not required.
>>
>> 3) To update your vulnerable system via a source code patch:
>>
>> The following patches have been verified to apply to the applicable
>> FreeBSD release branches.
>>
>> a) Download the relevant patch from the location below, and verify the
>> detached PGP signature using your PGP utility.
>>
>> [FreeBSD 11.1]
>> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch
>> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch.asc
>> # gpg --verify ntp-11.1.patch.asc
>>
>> [FreeBSD 10.4]
>> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch
>> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch.asc
>> # gpg --verify ntp-10.4.patch.asc
>>
>> [FreeBSD 10.3]
>> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch
>> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch.asc
>> # gpg --verify ntp-10.3.patch.asc
>>
>> b) Apply the patch. Execute the following commands as root:
>>
>> # cd /usr/src
>> # patch < /path/to/patch
>>
>> c) Recompile the operating system using buildworld and installworld as
>> described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
>>
>> Restart the applicable daemons, or reboot the system.
>>
>> VI. Correction details
>>
>> The following list contains the correction revision numbers for each
>> affected branch.
>>
>> Branch/path Revision
>> - ------------------------------------------------------------
>> -------------
>> stable/10/ r330141
>> releng/10.3/ r330567
>> releng/10.4/ r330567
>> stable/11/ r330106
>> releng/11.1/ r330567
>> - ------------------------------------------------------------
>> -------------
>>
>> To see which files were modified by a particular revision, run the
>> following command, replacing NNNNNN with the revision number, on a
>> machine with Subversion installed:
>>
>> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
>>
>> Or visit the following URL, replacing NNNNNN with the revision number:
>>
>> <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
>>
>> VII. References
>>
>> <URL:http://support.ntp.org/bin/view/Main/SecurityNotice#
>> February_2018_ntp_4_2_8p11_NTP_S>
>>
>> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7182>
>>
>> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170>
>>
>> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7184>
>>
>> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7185>
>>
>> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7183>
>>
>> The latest revision of this advisory is available at
>> <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:02.ntp.asc>
>> -----BEGIN PGP SIGNATURE-----
>>
>> iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhYNfFIAAAAAALgAo
>> aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
>> MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
>> 5cL9GQ/+PLffyegsvxKngL83XWG9UuHbcGG5aWbNwCecTEzNoCI72TI03aga0ge5
>> iLz5kW3SQvl8tsq778U4YbfFcCw6ifq2ws8asqNviv+u4AcJh7oD8CS3/kFuA9xM
>> zjAIrScdNR2taBJhBW3nwlb7RmDeKqydQ3OIxHVvs9Fj5Alc5ZEGezUjC2dueB+M
>> UdORg6GvHGMYQ+4AtBFRgZHAU3BFkwmgqsIICywYnUVH+AxKj34shs/pMMeJd/d9
>> a+BIu/tUjAIlQp23VunNAfq7r2eZik9LOV8Y5l1Ww7+K1IwlwezxI+Iw18BMFEVn
>> L9baBY9RFh8v/yrZCBqUc7Prhs3ExU/lnAb05Va7TYeD4RXVmSU0jNXi/przN3y2
>> PR7Z3JCm60mFKyp0/Hz2MmS1XPBVBrW4P6g9hH8TZmOHb2mZlK3zDXmil7HKp5DK
>> UhtMJpPEWV9k5rfP8iijHJnwkPr0ALntMUAAKUyw/6isVtHT6BZLaYsZvRYIm8YY
>> Mn2RUl74m+XoIhQ8R4mxRcaAHwKKXyeyP5nlAs6TQVb9QJukoRiNDr3g8TwbtT54
>> iTswVu+z/a89/YIwJoc6Ud7eCZSDYe6qfuC19TVuledayjjy/ZPMH0ZkNWFWJ3AE
>> VAvdyvoUuNbmsv42o4AUtpE/1CmDqOjwBRZZbtV4CONCDFpk26o=
>> =D2ov
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> freebsd-security-notifications at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
>> To unsubscribe, send any mail to "freebsd-security-
>> notifications-unsubscribe at freebsd.org"
>>
>
>
>
> --
> ---------------------------------------------------------------------------------
> 4096R/D21D2752
> <http://pgp.mit.edu/pks/lookup?op=get&search=0xF699A450D21D2752> ECDF B597
> B54B 7F92 753E E0EA F699 A450 D21D 2752
> Philip M. Gollucci (pgollucci at p6m7g8.com) c: 703.336.9354
> Member, Apache Software Foundation
> Committer, FreeBSD Foundation
> Consultant, P6M7G8 Inc.
> Director Cloud Technology, Capital One
>
> What doesn't kill us can only make us stronger;
> Except it almost kills you.
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
More information about the freebsd-security
mailing list