[ntp:hackers] Security fixes in ntp-4.2.8p6

Miroslav Lichvar mlichvar at redhat.com
Tue Jan 26 12:56:44 UTC 2016


On Sun, Jan 24, 2016 at 11:58:20PM +0100, Kurt Roeckx wrote:
> So can someone tell me what the status of the various security
> issues is in the 4.2.8p6 version?  I seem to be losing track.  Are
> their any patches for them?
> 
> CVE-2015-7704: A fix is available, will be part of p7, but hasn't
> been commited to the stable branch yet?

> CVE-2015-5300: Broken when using the LOCAL driver?

The problem with LOCAL driver I mentioned before was already present
in 4.2.8. The fix for CVE-2015-5300 doesn't make it worse.

> CVE-2015-8138: The attempted fix for CVE-2015-7704 broke symmetric
> associations (Bug 2952), that's still broken on packet loss, and
> it also breaks the fix for CVE-2015-8138?

Yes, the commit 880191b7 is good, but it can't work together with
19d58f66. If you need to fix this issue in 4.2.8p6, I'd suggest to
revert that part of the code to what it was in 4.2.8p3 and apply the
commit 880191b7 together with the one-line fix for the KoD issue I
suggested earlier in the other thread.

If anyone is interested, the patches I've included in the Fedora ntp
package (based on 4.2.6) are here:

http://pkgs.fedoraproject.org/cgit/rpms/ntp.git/tree/

For CVE-2015-7974 and CVE-2015-7979 I've used a different approach.
Extending the configuration may be useful, but I think persistent
associations and associations authenticated with symmetric key should
always be protected against the first and second attack respectively.

As for CVE-2015-7973, I'm not sure if this can be reliably fixed with
symmetric keys or autokey. Replay attacks on broadcast modes is a
known problem that NTS is trying to solve with TESLA.

CVE-2015-7976 doesn't look like a security issue to me. Not allowing
overwrite will likely be a problem in some use cases.

-- 
Miroslav Lichvar


More information about the hackers mailing list