[ntp:security] Fwd: [oss-security] Several low impact ntp.org ntpd issues

Brad Knowles brad at shub-internet.org
Tue Aug 25 15:42:13 UTC 2015


Folks,

Just saw that Florian had sent out this notice, and figured that folks here might want to hear about it.


> Begin forwarded message:
> 
> From: Florian Weimer <fweimer at redhat.com>
> Subject: [oss-security] Several low impact ntp.org ntpd issues
> Date: August 25, 2015 at 4:24:01 AM CDT
> To: oss-security at lists.openwall.com
> Reply-To: oss-security at lists.openwall.com
> 
> Miroslav Lichvár found several low-impact security issues in our ntp
> branch, most of which have already been addressed upstream without
> noting their security impact.
> 
> The first three issues require authentication.  Considering the low
> impact and the availability of upstream fixes for most of the issues,
> we'd like to make the issues public as soon as possible, unless there
> are any objections.
> 
> (Impact may be higher if ntpd runs with root privileges.)
> 
> * CVE-2015-5194
> https://bugzilla.redhat.com/show_bug.cgi?id=1254542
> 
> It was found that ntpd could crash due to an uninitialized variable when
> processing malformed logconfig configuration commands, for example:
> 
> ntpq -c ":config logconfig a"
> 
> Upstream fix:
> 
> <http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=4c4fc141LwvcoGp-lLGhkAFp3ZvtrA>
> <https://github.com/ntp-project/ntp/commit/553f2fa65865c31c5e3c48812cfd46176cffdd27>
> 
> * CVE-2015-5195
> https://bugzilla.redhat.com/show_bug.cgi?id=1254544
> 
> It was found that ntpd exits with a segmentation fault when a statistics
> type that was not enabled during compilation (e.g. timingstats) is
> referenced by the statistics or filegen configuration command, for example:
> 
> ntpq -c ':config statistics timingstats'
> ntpq -c ':config filegen timingstats'
> 
> Upstream fix:
> 
> <http://bk.ntp.org/ntp-dev/?PAGE=patch&REV=4d253ed0A400LyhRQIV0u23NJwuGAA>
> <https://github.com/ntp-project/ntp/commit/52e977d79a0c4ace997e5c74af429844da2f27be>
> 
> * CVE-2015-5196
> https://bugzilla.redhat.com/show_bug.cgi?id=1254547
> 
> It was found that the :config command can be used to set the pidfile and
> driftfile paths without any restrictions. A remote attacker could use
> this flaw to overwrite a file on the file system with a file containing
> the pid of the ntpd process (immediately) or the current estimated drift
> of the system clock (in hourly intervals). For example:
> 
> ntpq -c ':config pidfile /tmp/ntp.pid'
> ntpq -c ':config driftfile /tmp/ntp.drift'
> 
> No upstream fix, but Miroslav wrote the attached patch.
> 
> * CVE-2015-5219
> https://bugzilla.redhat.com/show_bug.cgi?id=1255118
> 
> It was discovered that sntp would hang in an infinite loop when a
> crafted NTP packet was received, related to the conversion of the
> precision value in the packet to double.
> 
> Upstream fix:
> 
> http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=51786731Gr4-NOrTBC_a_uXO4wuGhg
> https://github.com/ntp-project/ntp/commit/5f295cd05c3c136d39f5b3e500a2d781bdbb59c8
> 
> 
> (Reported to the distros list and upstream last week, no request for an
> embargo, hence public disclosure.)
> 
> --
> Florian Weimer / Red Hat Product Security
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ntp-remotewrite.patch
Type: text/x-patch
Size: 1726 bytes
Desc: not available
URL: <http://lists.ntp.org/private/security/attachments/20150825/094df3ff/attachment.bin>
-------------- next part --------------
> 

--
Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.ntp.org/private/security/attachments/20150825/094df3ff/attachment.sig>


More information about the security mailing list