[ntp:security] Fwd: RE: CVE-2016-1549, CVE-2018-7182, CVE-2018-7170, CVE-2018-7184, CVE-2018-7185

Harlan Stenn stenn at nwtime.org
Tue Mar 6 20:26:00 UTC 2018




-------- Forwarded Message --------
Return-Path: <jevans at mitre.org>
X-Original-To: stenn at nwtime.org
Delivered-To: stenn at nwtime.org
Received: from localhost (localhost [127.0.0.1]) by chessie.everett.org
(Postfix) with SMTP id 4E173B847 for <stenn at nwtime.org>; Tue,  6 Mar
2018 20:04:29 +0000 (UTC)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org
[192.52.194.136]) by chessie.everett.org (Postfix) with ESMTP id
E4AEFB843; Tue,  6 Mar 2018 20:04:27 +0000 (UTC)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id 8A85E6C00A2; Tue,  6 Mar 2018
15:04:27 -0500 (EST)
Received: from imshyb02.MITRE.ORG (unknown [129.83.29.3]) by
smtpvmsrv1.mitre.org (Postfix) with ESMTP id 775116C00A0; Tue,  6 Mar
2018 15:04:27 -0500 (EST)
Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb02.MITRE.ORG
(129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 6
Mar 2018 15:04:26 -0500
Received: from gcc01-dm2-obe.outbound.protection.outlook.com
(10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP
Server (TLS) id 15.0.1263.5 via Frontend Transport; Tue, 6 Mar 2018
15:04:26 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitre.onmicrosoft.com; s=selector1-mitre-org;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=qWm/huFQsxFUb9TQ8t9BhBkDZMIjMrZMgjWK4aU8VhA=;
b=NdBLxjdlNbBAMIn4r8WvYwMcZZXfJDove2N+mQH9pSWRjWTNzS/v7OU04LSV+q+6wrJGgaGa4S6bv06zItxagj3tw7kM/S3UuleS8FFBUHlyyhMvZtnbEracoq9ZlGhvzg+HzjSrEndh/P1n10SwqZQDC/OQKvUc755ZpXZKlg4=
Received: from SN1PR09MB0656.namprd09.prod.outlook.com (10.162.2.143) by
SN1PR09MB0845.namprd09.prod.outlook.com (10.162.101.154) with Microsoft
SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Tue,
6 Mar 2018 20:04:24 +0000
Received: from SN1PR09MB0656.namprd09.prod.outlook.com
([fe80::e5c0:4fef:6395:5b43]) by SN1PR09MB0656.namprd09.prod.outlook.com
([fe80::e5c0:4fef:6395:5b43%14]) with mapi id 15.20.0548.016; Tue, 6 Mar
2018 20:04:24 +0000
From: Evans, Jonathan L. <jevans at mitre.org>
To: Sue Graves <sgraves at nwtime.org>
CC: Harlan Stenn <stenn at nwtime.org>, Common Vulnerabilities & Exposures
<cve at mitre.org>
Subject: RE: CVE-2016-1549, CVE-2018-7182, CVE-2018-7170, CVE-2018-7184,
CVE-2018-7185
Thread-Topic: CVE-2016-1549, CVE-2018-7182, CVE-2018-7170,
CVE-2018-7184, CVE-2018-7185
Thread-Index: AQHTs3tW2sp0aXF/kU+980RO7BR356PDo1gg
Date: Tue, 6 Mar 2018 20:04:24 +0000
Message-ID:
<SN1PR09MB06560A823CD0979BC791CDF5CCD90 at SN1PR09MB0656.namprd09.prod.outlook.com>
References: <08d81ab7-5184-bea7-269c-f0f1e172f1f7 at nwtime.org>
In-Reply-To: <08d81ab7-5184-bea7-269c-f0f1e172f1f7 at nwtime.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none
(sender IP is ) smtp.mailfrom=jevans at mitre.org;
x-originating-ip: [192.160.51.89]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics:
1;SN1PR09MB0845;7:Y7CT4X8kc346kdqknroqpHkSh61msbN92NobtM9y//PEHcjCNRI9vJD9ro1x5QxqXsv00hD9Fi4qMSTRM30yaV02KxgP++4Rx4fqFuNbMzFA9t51vvjHeh8nWMjJH7JeDZ2tWrl7MtJywTgd24aC+hqomATA+iQGKjgjnIYgIzTmXLwnLBpoIBLfIOIuGxQ0E0UiYE42Y0VlJSFic4WEeG4ZDDZg3KlrUJSKYCKIOI5vFq0w83oI/1IOX02Lg56h
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id:
ec4843d9-5089-4df8-453e-08d5839d757b
x-microsoft-antispam:
UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020);SRVR:SN1PR09MB0845;
x-ms-traffictypediagnostic: SN1PR09MB0845:
x-microsoft-antispam-prvs:
<SN1PR09MB0845C5237C5955A45EAF93C0CCD90 at SN1PR09MB0845.namprd09.prod.outlook.com>
x-exchange-antispam-report-test:
UriScan:(158342451672863)(72170088055959)(192374486261705);
x-exchange-antispam-report-cfa-test:
BCL:0;PCL:0;RULEID:(6040501)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3231220)(944501244)(52105095)(3002001)(6055026)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123564045)(20161123560045)(20161123562045)(6072148)(201708071742011);SRVR:SN1PR09MB0845;BCL:0;PCL:0;RULEID:;SRVR:SN1PR09MB0845;
x-forefront-prvs: 06036BD506
x-forefront-antispam-report:
SFV:NSPM;SFS:(10009020)(39380400002)(39860400002)(376002)(396003)(346002)(366004)(13464003)(199004)(189003)(86362001)(6246003)(5250100002)(76176011)(102836004)(3280700002)(68736007)(99286004)(186003)(4326008)(26005)(316002)(74316002)(5660300001)(6506007)(59450400001)(53546011)(54906003)(305945005)(7736002)(6916009)(3660700001)(7696005)(66066001)(107886003)(2950100002)(106356001)(3846002)(6116002)(2900100001)(105586002)(229853002)(14454004)(450100002)(2906002)(97736004)(9686003)(6306002)(966005)(6436002)(478600001)(8936002)(8676002)(25786009)(81166006)(53936002)(55016002)(81156014)(33656002);DIR:OUT;SFP:1101;SCL:1;SRVR:SN1PR09MB0845;H:SN1PR09MB0656.namprd09.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en;
received-spf: None (protection.outlook.com: mitre.org does not designate
permitted sender hosts)
x-microsoft-antispam-message-info:
YIN6RbJzwKh3nd3jdqSwQTsHCKKJME+p1hQ9qSnFRSZqWoY8G+6vClzEr6PsMcj3j1fNPKH+Nbz9MC88Y7KqnUWZ6y7tct3plmH81DsfQhq7QDfwAlqW6iKuYSbieiHvlKBbNKRaPxfE06YKyUeVATKBEZRiZqDzav5VNzgYugNQNLbbOFRR3/9Ln7/OvNp4sKmlL3wdiHr00VkeqEiLuYP5WgrFrEWoxlm0Dq26wGYaF61RXUTSismiEPqX/TqVhnk18aspo6z+/It2TsQTIM23TVBWSMWlhRqi/n8vIgL4Fxkpkc9M2z3wwhd/LBNXAqCzKYpJh1pRRFhPBOG+Ag==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id:
ec4843d9-5089-4df8-453e-08d5839d757b
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2018 20:04:24.5660
(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR09MB0845
X-OriginatorOrg: mitre.org
X-MITRE: 8GQsMWxq66rxk57w
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Tue Mar  6 20:04:29 2018
X-DSPAM-Confidence: 0.9899
X-DSPAM-Improbability: 1 in 9809 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Signature: 3974,5a9ef44d13981981219521

Hi Sue,

These CVE IDs should be populated on our site in the next few hours.
Unfortunately, one of our content team members filled in the entry
without seeing this email so the descriptions will not exactly match the
ones you provided.  If you have any issues with the content, please
suggest changes through the "Request an update to an existing CVE Entry"
form at https://cveform.mitre.org/.

-
Jonathan Evans
CVE Numbering Authority (CNA) Coordinator
CVE Team

-----Original Message-----
From: Sue Graves [mailto:sgraves at nwtime.org] Sent: Sunday, March 04,
2018 12:41 AM
To: Common Vulnerabilities & Exposures <cve at mitre.org>
Cc: Harlan Stenn <stenn at nwtime.org>; Sue Graves-NTF <sgraves at nwtime.org>
Subject: CVE-2016-1549, CVE-2018-7182, CVE-2018-7170, CVE-2018-7184,
CVE-2018-7185

Released publicly on Feb 27 - Please update these CVE details:

Here is the NEWS file information:

--
NTP 4.2.8p11 (Harlan Stenn <stenn at ntp.org>, 2018/02/27)

NOTE: this NEWS file will be undergoing more revisions.

Focus: Security, Bug fixes, enhancements.

Severity: MEDIUM

This release fixes 2 low-/medium-, 1 informational/medium-, and 2
low-severity vulnerabilities in ntpd, one medium-severity vulnerability
in ntpq, and provides 65 other non-security fixes and improvements:

* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved
    association (LOW/MED)
   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
  *References: Sec 3454 / CVE-2018-7185 / VU#961909*
   Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11.
   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between
    2.9 and 6.8.
   CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could
    score between 2.6 and 3.1
   Summary:
    The NTP Protocol allows for both non-authenticated and
    authenticated associations, in client/server, symmetric (peer),
    and several broadcast modes. In addition to the basic NTP
    operational modes, symmetric mode and broadcast servers can
    support an interleaved mode of operation. In ntp-4.2.8p4 a bug
    was inadvertently introduced into the protocol engine that
    allows a non-authenticated zero-origin (reset) packet to reset
    an authenticated interleaved peer association. If an attacker
    can send a packet with a zero-origin timestamp and the source
    IP address of the "other side" of an interleaved association,
    the 'victim' ntpd will reset its association. The attacker must
    continue sending these packets in order to maintain the
    disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6,
    interleave mode could be entered dynamically. As of ntp-4.2.8p7,
    interleaved mode must be explicitly configured/enabled.
   Mitigation:
    Implement BCP-38.
    Upgrade to 4.2.8p11, or later, from the NTP Project Download Page
        or the NTP Public Services Project Download Page.
    If you are unable to upgrade to 4.2.8p11 or later and have
        'peer HOST xleave' lines in your ntp.conf file, remove the
        'xleave' option.
    Have enough sources of time.
    Properly monitor your ntpd instances.
    If ntpd stops running, auto-restart it without -g .
   Credit:
       This weakness was discovered by Miroslav Lichvar of Red Hat.

* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad
    state (LOW/MED)
   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
*   References: Sec 3453 / CVE-2018-7184 / VU#961909*
   Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11.
   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
    Could score between 2.9 and 6.8.
   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
    Could score between 2.6 and 6.0.
   Summary:
       The fix for NtpBug2952 was incomplete, and while it fixed one
    problem it created another.  Specifically, it drops bad packets
    before updating the "received" timestamp.  This means a
    third-party can inject a packet with a zero-origin timestamp,
    meaning the sender wants to reset the association, and the
    transmit timestamp in this bogus packet will be saved as the
    most recent "received" timestamp.  The real remote peer does
    not know this value and this will disrupt the association until
    the association resets.
   Mitigation:
    Implement BCP-38.
    Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
        or the NTP Public Services Project Download Page.
    Use authentication with 'peer' mode.
    Have enough sources of time.
    Properly monitor your ntpd instances.
    If ntpd stops running, auto-restart it without -g .
   Credit:
       This weakness was discovered by Miroslav Lichvar of Red Hat.

* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive
    peering (LOW)
   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
*   References: Sec 3415 / CVE-2018-7170 / VU#961909**
**              Sec 3012 / CVE-2016-1549 / VU#718152*
   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
       4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
   Summary:
    ntpd can be vulnerable to Sybil attacks.  If a system is set up to
    use a trustedkey and if one is not using the feature introduced in
    ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to
    specify which IPs can serve time, a malicious authenticated peer
    -- i.e. one where the attacker knows the private symmetric key --
    can create arbitrarily-many ephemeral associations in order to win
    the clock selection of ntpd and modify a victim's clock.  Three
    additional protections are offered in ntp-4.2.8p11.  One is the
    new 'noepeer' directive, which disables symmetric passive
    ephemeral peering. Another is the new 'ippeerlimit' directive,
    which limits the number of peers that can be created from an IP.
    The third extends the functionality of the 4th field in the
    ntp.keys file to include specifying a subnet range.
   Mitigation:
    Implement BCP-38.
    Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
        or the NTP Public Services Project Download Page.
    Use the 'noepeer' directive to prohibit symmetric passive
        ephemeral associations.
    Use the 'ippeerlimit' directive to limit the number of peers
        that can be created from an IP.
    Use the 4th argument in the ntp.keys file to limit the IPs and
        subnets that can be time servers.
    Have enough sources of time.
    Properly monitor your ntpd instances.
    If ntpd stops running, auto-restart it without -g .
   Credit:
    This weakness was reported as Bug 3012 by Matthew Van Gundy of
    Cisco ASIG, and separately by Stefan Moser as Bug 3415.

* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium)
   Date Resolved: 27 Feb 2018
  *References: Sec 3414 / CVE-2018-7183 / VU#961909*
   Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
   CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
   CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
   Summary:
       ntpq is a monitoring and control program for ntpd.  decodearr()
    is an internal function of ntpq that is used to -- wait for it --
    decode an array in a response string when formatted data is being
    displayed.  This is a problem in affected versions of ntpq if a
    maliciously-altered ntpd returns an array result that will trip this
    bug, or if a bad actor is able to read an ntpq request on its way to
    a remote ntpd server and forge and send a response before the remote
    ntpd sends its response.  It's potentially possible that the
    malicious data could become injectable/executable code.
   Mitigation:
    Implement BCP-38.
    Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
        or the NTP Public Services Project Download Page.
   Credit:
    This weakness was discovered by Michael Macnair of Thales e-Security.

* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined
    behavior and information leak (Info/Medium)
   Date Resolved: 27 Feb 2018
   *References: Sec 3412 / CVE-2018-7182 / VU#961909*
   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
   CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N
   CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    0.0 if C:N
   Summary:
    ctl_getitem()  is used by ntpd to process incoming mode 6 packets.
    A malicious mode 6 packet can be sent to an ntpd instance, and
    if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will
    cause ctl_getitem() to read past the end of its buffer.
   Mitigation:
    Implement BCP-38.
    Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
        or the NTP Public Services Project Download Page.
    Have enough sources of time.
    Properly monitor your ntpd instances.
    If ntpd stops running, auto-restart it without -g .
   Credit:
       This weakness was discovered by Yihan Lian of Qihoo 360.

* NTP Bug 3012: Sybil vulnerability: ephemeral association attack
   Also see Bug 3415, above.
   Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
   *References: Sec 3012 / CVE-2016-1549 / VU#718152*
   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
    4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
   CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
   Summary:
    ntpd can be vulnerable to Sybil attacks.  If a system is set up
    to use a trustedkey and if one is not using the feature
    introduced in ntp-4.2.8p6 allowing an optional 4th field in the
    ntp.keys file to specify which IPs can serve time, a malicious
    authenticated peer -- i.e. one where the attacker knows the
    private symmetric key -- can create arbitrarily-many ephemeral
    associations in order to win the clock selection of ntpd and
    modify a victim's clock.  Two additional protections are
    offered in ntp-4.2.8p11.  One is the 'noepeer' directive, which
    disables symmetric passive ephemeral peering. The other extends
    the functionality of the 4th field in the ntp.keys file to
    include specifying a subnet range.
   Mitigation:
    Implement BCP-38.
    Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or
        the NTP Public Services Project Download Page.
    Use the 'noepeer' directive to prohibit symmetric passive
        ephemeral associations.
    Use the 'ippeerlimit' directive to limit the number of peer
        associations from an IP.
    Use the 4th argument in the ntp.keys file to limit the IPs
        and subnets that can be time servers.
    Properly monitor your ntpd instances.
   Credit:
       This weakness was discovered by Matthew Van Gundy of Cisco ASIG.




More information about the security mailing list