October 2015 NTP Security Vulnerability Announcement
Environment
- Red Hat Enterprise Linux
- ntp-4.2.6p5
Issue
- NTP Vulnerability Announcement October 21st 2015
Red Hat Security Bugzillas Rated Important
Bug 1274265 - CVE-2015-7871 - ntp: crypto-NAK symmetric association authentication bypass vulnerability
Bug 1271070 - (CVE-2015-7704) CVE-2015-7704 - ntp: disabling synchronization via crafted KoD packet
Red Hat Security Bugzillas Rated Moderate
Bug 1274263 - (CVE-2015-7854) CVE-2015-7854 ntp: password length memory corruption vulnerability
Bug 1274262 - (CVE-2015-7853) CVE-2015-7853 ntp: reference clock memory corruption vulnerability
Bug 1274261 - (CVE-2015-7852) CVE-2015-7852 ntp: ntpq atoascii memory corruption vulnerability
Bug 1274260 - (CVE-2015-7851) CVE-2015-7851 ntp: saveconfig directory traversal vulnerability
Bug 1274257 - (CVE-2015-7849) CVE-2015-7849 ntp: trusted keys memory corruption vulnerability
Bug 1274256 - (CVE-2015-7848) CVE-2015-7848 ntp: multiple integer overflow read access violations
Bug 1274255 - (CVE-2015-7701) CVE-2015-7701 ntp: unspecified slow memory leak in CRYPTO_ASSOC
Bug 1274184 - (CVE-2015-7705) CVE-2015-7705 ntp: denial of service by trigerring rate limiting on NTP server
Bug 1274254 - (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702) CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 ntp: incomplete checks in ntp_crypto.c
Red Hat Security Bugzillas Rated Low
Bug 1274264 - (CVE-2015-7855) CVE-2015-7855 ntp: ASSERT in decodenetnum() on invalid values
Bug 1274258 - (CVE-2015-7850) CVE-2015-7850 ntp: remote configuration denial of service vulnerability
Bug 1254547 - (CVE-2015-7703) CVE-2015-7703 ntp: config command can be used to set the pidfile and drift file paths
Resolution
Red Hat Enterprise Linux are affected by these CVEs.
This issue is addressed in the following updates:
| CVE | Bugzilla | Affected OS | Impact | Errata | Remarks |
|---|---|---|---|---|---|
| CVE-2015-7704 | Bug 1271070 | RHEL7,RHEL6 | Important | RHSA-2015-1930 | ntp-4.2.6p5-5.el6_7.2/ntp-4.2.6p5-19.el7_1.3 |
| CVE-2015-7871 | Bug 1274265 | Not Affected | Important | - | - |
| CVE-2015-7854 | Bug 1274263 | Not Affected | Moderate | - | - |
| CVE-2015-7853 | Bug 1274262 | Not Affected | Moderate | - | - |
| CVE-2015-7852 | Bug 1274261 | RHEL7,RHEL6,RHEL5 | Moderate | RHSA-2016:0780 | ntp-4.2.6p5-10.el6 |
| CVE-2015-7851 | Bug 1274260 | Not Affected | Moderate | - | - |
| CVE-2015-7849 | Bug 1274257 | Not Affected | Moderate | - | - |
| CVE-2015-7848 | Bug 1274256 | Not Affected | Moderate | - | - |
| CVE-2015-7701 | Bug 1274255 | RHEL7,RHEL6,RHEL5 | Moderate | RHSA-2016:0780 | ntp-4.2.6p5-10.el6 |
| CVE-2015-7705 | Bug 1274184 | RHEL7,RHEL6,RHEL5 | Moderate | Will not fix | Mitigation |
| CVE-2015-7691 | Bug 1274254 | RHEL7,RHEL6,RHEL5 | Moderate | RHSA-2016:0780 | ntp-4.2.6p5-10.el6 |
| CVE-2015-7692 | Bug 1274254 | RHEL7,RHEL6,RHEL5 | Moderate | RHSA-2016:0780 | ntp-4.2.6p5-10.el6 |
| CVE-2015-7702 | Bug 1274254 | RHEL7,RHEL6,RHEL5 | Moderate | RHSA-2016:0780 | ntp-4.2.6p5-10.el6 |
| CVE-2015-7855 | Bug 1274264 | Not Affected | Low | - | - |
| CVE-2015-7850 | Bug 1274258 | RHEL7,RHEL6,RHEL5 | Low | Will not fix | Limited |
| CVE-2015-7703 | Bug 1254547 | RHEL6 | Low | RHSA-2016:0780 | ntp-4.2.6p5-10.el6 |
Mitigation
CVE-2015-7705 : Do not add the "limited" configuration option to any restrict lines in the ntp.conf file.
Limited
CVE-2015-7850 : The issue relies on the fact that an attacker could provide a crafted config file that could cause ntpd loop infinitely. Fixing this one case does not prevent the attacker from pointing ntpd to the e.g. /dev/zero file, which would have the same effect. This issue is limited to users who are able to use the :config command.
Root Cause
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments