[ntp:security] Several low impact ntp.org ntp issues

Florian Weimer fweimer at redhat.com
Thu Aug 20 09:53:37 UTC 2015


Miroslav Lichvár found several low-impact security issues in our ntp
branch, most of which have already been addressed upstream without
noting their security impact.

The first three issues require authentication.  Considering the low
impact and the availability of upstream fixes for most of the issues,
we'd like to make the issues public as soon as possible, unless there
are any objections.

(Impact may be higher if ntpd runs with root privileges.)

* CVE-2015-5194

It was found that ntpd could crash due to an invalid free() when
processing malformed logconfig configuration commands, for example:

ntpq -c ":config logconfig a"

Upstream fix:

<http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=4c4fc141LwvcoGp-lLGhkAFp3ZvtrA>
<https://github.com/ntp-project/ntp/commit/553f2fa65865c31c5e3c48812cfd46176cffdd27>

* CVE-2015-5195

It was found that ntpd exits with a segmentation fault when a statistics
type that was not enabled during compilation (e.g. timingstats) is
referenced by the statistics or filegen configuration command, for example:

ntpq -c ':config statistics timingstats'
ntpq -c ':config filegen timingstats'

Upstream fix:

<http://bk.ntp.org/ntp-dev/?PAGE=patch&REV=4d253ed0A400LyhRQIV0u23NJwuGAA>
<https://github.com/ntp-project/ntp/commit/52e977d79a0c4ace997e5c74af429844da2f27be>

* CVE-2015-5196

It was found that the :config command can be used to set the pidfile and
driftfile paths without any restrictions. A remote attacker could use
this flaw to overwrite a file on the file system with a file containing
the pid of the ntpd process (immediately) or the current estimated drift
of the system clock (in hourly intervals). For example:

ntpq -c ':config pidfile /tmp/ntp.pid'
ntpq -c ':config driftfile /tmp/ntp.drift'

No upstream fix, but Miroslav wrote the attached patch.

* CVE-2015-5219

It was discovered that sntp would hang in an infinite loop when a
crafted NTP packet was received, related to the conversion of the
precision value in the packet to double.

Upstream fix:

http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=51786731Gr4-NOrTBC_a_uXO4wuGhg
https://github.com/ntp-project/ntp/commit/5f295cd05c3c136d39f5b3e500a2d781bdbb59c8

-- 
Florian Weimer / Red Hat Product Security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ntp-remotewrite.patch
Type: text/x-patch
Size: 1725 bytes
Desc: not available
URL: <http://lists.ntp.org/private/security/attachments/20150820/0d15293a/attachment.bin>


More information about the security mailing list