Subject: [ASA-201803-11] ntp: multiple issues Arch Linux Security Advisory ASA-201803-11 ========================================== Severity: High Date : 2018-03-16 CVE-ID : CVE-2016-1549 CVE-2018-7170 CVE-2018-7182 CVE-2018-7183 CVE-2018-7184 CVE-2018-7185 Package : ntp Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-647 Summary ======= The package ntp before version 4.2.8.p11-1 is vulnerable to multiple issues including arbitrary code execution, content spoofing and denial of service. Resolution ========== Upgrade to 4.2.8.p11-1. # pacman -Syu "ntp>=4.2.8.p11-1" The problems have been fixed upstream in version 4.2.8.p11. Workaround ========== None. Description =========== - CVE-2016-1549 (content spoofing) A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim's clock. - CVE-2018-7170 (content spoofing) ntpd can be vulnerable to Sybil attacks. If a system is set up to use a trustedkey and if one is not using the feature introduced in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to specify which IPs can serve time, a malicious authenticated peer -- i.e. one where the attacker knows the private symmetric key -- can create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock. - CVE-2018-7182 (denial of service) ctl_getitem() is used by ntpd to process incoming mode 6 packets. A malicious mode 6 packet can be sent to an ntpd instance, and if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will cause ctl_getitem() to read past the end of its buffer. - CVE-2018-7183 (arbitrary code execution) ntpq is a monitoring and control program for ntpd. decodearr() is an internal function of ntpq that is used to -- wait for it -- decode an array in a response string when formatted data is being displayed. This is a problem in affected versions of ntpq if a maliciously-altered ntpd returns an array result that will trip this bug, or if a bad actor is able to read an ntpq request on its way to a remote ntpd server and forge and send a response before the remote ntpd sends its response. It's potentially possible that the malicious data could become injectable/executable code. - CVE-2018-7184 (denial of service) The fix for NtpBug2952 was incomplete, and while it fixed one problem it created another. Specifically, it drops bad packets before updating the "received" timestamp. This means a third-party can inject a packet with a zero-origin timestamp, meaning the sender wants to reset the association, and the transmit timestamp in this bogus packet will be saved as the most recent "received" timestamp. The real remote peer does not know this value and this will disrupt the association until the association resets. - CVE-2018-7185 (denial of service) The NTP Protocol allows for both non-authenticated and authenticated associations, in client/server, symmetric (peer), and several broadcast modes. In addition to the basic NTP operational modes, symmetric mode and broadcast servers can support an interleaved mode of operation. In ntp-4.2.8p4 a bug was inadvertently introduced into the protocol engine that allows a non-authenticated zero-origin (reset) packet to reset an authenticated interleaved peer association. If an attacker can send a packet with a zero-origin timestamp and the source IP address of the "other side" of an interleaved association, the 'victim' ntpd will reset its association. The attacker must continue sending these packets in order to maintain the disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6, interleave mode could be entered dynamically. As of ntp-4.2.8p7, interleaved mode must be explicitly configured/enabled. Impact ====== A remote, non-authenticated peer can cause a denial of service, preventing the vulnerable host from getting a correct time. In addition to that, a remote, authenticated peer can spoof the correct time, causing the vulnerable host to update its clock with an invalid time. A malicious NTPd server, or an attacker in position of man-in-the- middle might be able to execute arbitrary code on the affected host by forging a response to an ntpq request. References ========== http://support.ntp.org/bin/view/Main/NtpBug3012 http://support.ntp.org/bin/view/Main/NtpBug3415 http://support.ntp.org/bin/view/Main/NtpBug3412 http://support.ntp.org/bin/view/Main/NtpBug3414 http://support.ntp.org/bin/view/Main/NtpBug3453 http://support.ntp.org/bin/view/Main/NtpBug3454 https://security.archlinux.org/CVE-2016-1549 https://security.archlinux.org/CVE-2018-7170 https://security.archlinux.org/CVE-2018-7182 https://security.archlinux.org/CVE-2018-7183 https://security.archlinux.org/CVE-2018-7184 https://security.archlinux.org/CVE-2018-7185