[ntp:security] Fwd: Questions about CVE-2019-11331

Danny Mayer mayer at ntp.org
Mon May 13 20:49:04 UTC 2019


The score should go to 0!

RFC 5905 Section 8 paragraph 4 is pretty explicit about checking the
origin timestamp:

"A packet is bogus if the origin timestamp t1 in the packet does not
match the xmt state variable T1."

For an off-path attack it is almost impossible to know this 64-bit
timestamp. Harlan provided much more detail. The NTP reference
implementation is not vulnerable to an attack like this. Any other
implementation that doesn't check this is not even compliant with the RFC's.

Danny

On 5/13/19 3:56 PM, Dixon, Cameron wrote:
>
> Hey team. Prompted at least in part by your outreach, I was told that
> NIST is re-adjudicating the score.
>
>  
>
> Hopefully you’ll see more information soon; I’ll share anything I hear.
>
>  
>
> Cameron Dixon | cameron.dixon at hq.dhs.gov
> <mailto:cameron.dixon at hq.dhs.gov>  
>
> Cyber and Infrastructure Security Agency | https://cisa.gov  
>
> +1 (202) 631-0602
>
>  
>
> *From: *"Dixon, Cameron" <cameron.dixon at hq.dhs.gov>
> *Date: *Wednesday, May 1, 2019 at 9:11 AM
> *To: *Matt Ploessel <matt.ploessel at gmail.com>, "stevos at nwtime.org"
> <stevos at nwtime.org>
> *Cc: *Harlan Stenn <stenn at nwtime.org>, "Jasner, Justin"
> <justin.jasner at hq.dhs.gov>, "security at ntp.org" <security at ntp.org>,
> "stanleyjbarr at gmail.com" <stanleyjbarr at gmail.com>, "Millar, Thomas"
> <Thomas.Millar at hq.dhs.gov>
> *Subject: *Re: [ntp:security] Fwd: Questions about CVE-2019-11331
>
>  
>
> Hey all, just wanted to say I’ve seen your email. I reached out
> yesterday to check if there’s any other information that can be
> provided, and will share back when I can.
>
>  
>
> Cameron Dixon | cameron.dixon at hq.dhs.gov
> <mailto:cameron.dixon at hq.dhs.gov>  
>
> Cyber and Infrastructure Security Agency | https://cisa.gov  
>
> +1 (202) 631-0602
>
>  
>
> *From: *Matt Ploessel <matt.ploessel at gmail.com>
> *Date: *Tuesday, April 30, 2019 at 9:12 AM
> *To: *"stevos at nwtime.org" <stevos at nwtime.org>
> *Cc: *Harlan Stenn <stenn at nwtime.org>, "Dixon, Cameron"
> <cameron.dixon at hq.dhs.gov>, "Jasner, Justin"
> <justin.jasner at hq.dhs.gov>, "security at ntp.org" <security at ntp.org>,
> "stanleyjbarr at gmail.com" <stanleyjbarr at gmail.com>, "Millar, Thomas"
> <Thomas.Millar at hq.dhs.gov>
> *Subject: *Re: [ntp:security] Fwd: Questions about CVE-2019-11331
>
>  
>
> NTPD Sec Team,
>
>  
>
> I’ve CC’ing here Cameron and Justin and Tom from US-CERT (CISA) , and
> Stan from MITRE. 
>
>  
>
> Tom/Cameron/Stan et al;
>
> anything you could tell us (Network Time Foundation / NTPD) about
> the CVE-2019-11331 ? it’s rated 9.8 but we (the vendor and code
> maintainers) don’t know anything about it and honestly could use some
> assistance/clarification.
>
>  
>
> Matt Ploessel
>
> Board Member
>
> Network Time Foundation
>
>  
>
>  
>
> On Tue, Apr 30, 2019 at 9:00 AM Matt Ploessel <matt.ploessel at gmail.com
> <mailto:matt.ploessel at gmail.com>> wrote:
>
>     i’ll be in pittsburgh the next few days for meetings, I can try
>     and swing by cert/cc @ carnegie mellon. I’ve also reached out to
>     stan (MITRE contact) for clarification and details on the cve. 
>
>      
>
>      
>
>     On Mon, Apr 29, 2019 at 5:09 PM <stevos at nwtime.org
>     <mailto:stevos at nwtime.org>> wrote:
>
>         This could come in handy for this new issue:
>         https://nvd.nist.gov/general/faq#eeabbb01-eb9f-488d-ac31-40a8b92c1473
>
>         a couple of items from that page:
>
>         What happens after a vulnerability is identified?
>         CVE identifiers are assigned by CVE and other CVE Numbering
>         Authorities (CNAs). The NVD receives data feeds from the CVE
>         website and in turn performs analysis to determine impact
>         metrics (CVSS), vulnerability types (CWE), and applicability
>         statements (CPE), as well as other pertinent metadata. The NVD
>         does not actively perform vulnerability testing, relying on
>         vendors and third party security researchers to provide
>         information that is then used assign these attributes. We then
>         perform additional research to confirm that CPEs comply with
>         CPE specifications and include them in the official CPE
>         dictionary. As additional information becomes available CVSS
>         scores and configurations are subject to change.
>
>         ***A vulnerability has been identified, and possibly a CVE has
>         been assigned, why is it not in your database?
>         Although a CVE ID may have been assigned by either CVE or a
>         CAN, it will not be available in the NVD if it has a status of
>         RESERVED by CVE. Please check the CVE dictionary first, and if
>         you have further questions about a specific CVE and when it
>         will be available, please contact cve at mitre.org
>         <mailto:cve at mitre.org> directly.
>
>         ***I have found an error within an NVD Vulnerability Summary,
>         what should I do?
>         Go to https://cveform.mitre.org/ to request updates to the
>         vulnerability descriptions, with an explanation of the error
>         and any relevant details (e.g. sources of information that
>         demonstrate the error). If it is determined that a CVE
>         vulnerability summary should be revised, they will update
>         their data feed, which will generally be updated in the NVD
>         within 24 hours of an update to the CVE data feed. When you
>         hear that the vulnerability description will be updated please
>         email the NVD to ensure any required changes occur.
>
>         One of the links provided with the CVE points to an incorrect
>         hyperlink, what should I do?
>         If you discover that a hyperlink does not reference the
>         correct CVE please email cve at mitre.org <mailto:cve at mitre.org>
>         with the incorrect link and any other applicable information.
>
>         ***I am a software vendor and want to dispute that a
>         vulnerability exists. What should I do?
>         The NVD is based upon the CVE standard vulnerability
>         dictionary. To dispute a vulnerability, contact the CVE
>         Editorial Board (and carbon copy the NVD) Any action taken
>         will be published in the CVE dictionary data feeds, and
>         reflected on the NVD Vulnerability summary page within 24 hours.
>
>
>         ***I would like to dispute the score of a vulnerability. What
>         should I do?
>         If you believe a score should be changed based on publicly
>         available information that may not have been available at the
>         time of the scoring please email including the CVE ID and a
>         description of the issue with supporting public information
>         and the NVD analysts will review the score and respond
>         appropriately.
>
>
>         The vulnerability has been remediated; can you remove the CVE
>         from the NVD?
>         The NVD does not remove vulnerabilities from the database. If
>         you wish to dispute a CVE, please contact the CVE Editorial
>         Board who controls the assignment, description, and
>         deprecation of CVEs. If it is determined that a CVE should not
>         have been assigned, they will update their data feed, which
>         will then be updated in the NVD feeds within 24 hours.
>
>         ***** Does NTF do this now? *****
>         *****What is the NVD Vendor Official Statement Service?
>         If you would like to provide an official vendor comment, which
>         can include information regarding links to patches or product
>         updates, please submit the specific text or information from a
>         valid vendor email address and we will post it for the
>         associated CVE.
>
>
>         How do I report a vulnerability to the NVD?
>         The NIST National Vulnerability Database does not accept
>         vulnerability reports directly. If you would like to report a
>         vulnerability, please contact CERT/CC.
>
>
>         -----Original Message-----
>         From: security
>         <security-bounces+stevos=nwtime.org at lists.ntp.org
>         <mailto:nwtime.org at lists.ntp.org>> On Behalf Of
>         stevos at nwtime.org <mailto:stevos at nwtime.org>
>         Sent: Monday, April 29, 2019 11:32 AM
>         To: 'Harlan Stenn' <stenn at nwtime.org
>         <mailto:stenn at nwtime.org>>; 'Matt Ploessel'
>         <matt.ploessel at gmail.com <mailto:matt.ploessel at gmail.com>>;
>         security at ntp.org <mailto:security at ntp.org>
>         Subject: Re: [ntp:security] Fwd: Questions about CVE-2019-11331
>         Importance: High
>
>         Harlan and Matt,
>
>         Should we reach out to Art Manion? 
>
>         On another note, do we have the CVE#s listed in Bugzilla with
>         the associated bugs that do get reported?  Seems like more
>         folks use the CVE# to call out bugs than they do the numbers
>         we assign to them in Bugzilla.
>
>
>         Steve
>
>         -----Original Message-----
>         From: security
>         <security-bounces+stevos=nwtime.org at lists.ntp.org
>         <mailto:nwtime.org at lists.ntp.org>> On Behalf Of Harlan Stenn
>         Sent: Monday, April 29, 2019 3:53 AM
>         To: Matt Ploessel <matt.ploessel at gmail.com
>         <mailto:matt.ploessel at gmail.com>>; security at ntp.org
>         <mailto:security at ntp.org>
>         Subject: [ntp:security] Fwd: Questions about CVE-2019-11331
>
>         Matt,
>
>         It looks like somebody opened up this CVE and never notified us.
>
>         It also looks like this report is bogus, but I just heard
>         about it in the last few minutes and I'd like to check it out
>         before I say more.
>
>         I've already heard from one big customer asking about it, as
>         they gave it a CVSS3 score of 9.8, which seems insane and
>         irresponsible.
>
>         Not the sort of thing I want to see at 0345 when I'm about to
>         fall asleep.
>
>         H
>
>         PS - I'm not sending this encrypted because our PGP key has
>         expired and Brad hasn't had time to refresh that yet.  I've
>         asked him if he can get that done sometime "today".
>
>         -------- Forwarded Message --------
>         Return-Path: <stenn at nwtime.org <mailto:stenn at nwtime.org>>
>         X-Original-To: stenn at nwtime.org <mailto:stenn at nwtime.org>
>         Delivered-To: stenn at nwtime.org <mailto:stenn at nwtime.org>
>         Received: from [10.208.75.157]
>         (75-139-194-196.dhcp.knwc.wa.charter.com
>         <http://75-139-194-196.dhcp.knwc.wa.charter.com>
>         [75.139.194.196]) (using TLSv1 with cipher AES256-SHA (256/256
>         bits)) (No client certificate requested) by
>         chessie.everett.org <http://chessie.everett.org> (Postfix)
>         with ESMTPSA id 44t1VS3XtgzL7N; Mon, 29 Apr 2019 10:44:00
>         +0000 (UTC)
>         Subject: Re: Questions about CVE-2019-11331
>         From: Harlan Stenn <stenn at nwtime.org <mailto:stenn at nwtime.org>>
>         To: Marius Rohde <marius.rohde at meinberg.de
>         <mailto:marius.rohde at meinberg.de>>
>         Cc: Steve Sullivan <stevos at nwtime.org <mailto:stevos at nwtime.org>>
>         References: <1747911970-17953 at srv-kerioconnect.py.meinberg.de
>         <mailto:1747911970-17953 at srv-kerioconnect.py.meinberg.de>>
>         <2d2b3cfb-a8eb-f7aa-f832-ebcc33de8b5f at nwtime.org
>         <mailto:2d2b3cfb-a8eb-f7aa-f832-ebcc33de8b5f at nwtime.org>>
>         Openpgp: preference=signencrypt
>         Autocrypt: addr=stenn at nwtime.org <mailto:stenn at nwtime.org>;
>         prefer-encrypt=mutual; keydata=
>         mQGNBFI2xmQBDACrPayw18eU4pIwCvKh7k0iMkAV9cvzs49kBppM+xoH+KKj4QWmkKELD39H
>         ngQnT3RkKsTLlwxyLqPdUmeQNAY2M5fsOK+OF6EvwLPK9hbmE3Wx2moX+sbEUxJ2VzFhKSKb
>         OPZALXwk1XxL0qBedz0xHYcDwaSAZZkEFXURv2pDIdrmnoUnq2gdC8GpoFJiXoUaCLSYzzaY
>         ac4Njw7Mue8IqfzRQb70aMjXl/qmsmfmEVAyGXywDdc/ler4XSgiuYOV7Kf69bj9PFZZSMdJ
>         MWgEyZH6lJ0TU5ccR2zp5ZRmWzQQkxJMyH2th7q0Nmz3aX4A0K4yE0Ba9/5Dr7ctpF15BrMF
>         aEo4s5lwI6tUnkgMWo265mMzCz4mAPV/ac0w0OXQg7r9E2r0+dRapnzUlG43D0JLDqDr9uRR
>         L6IrRQqoCWUC75lfmPYQYSlaTJaK68r3lXd0z1cXJUgVtEL5H3/Z71R2B20twcQVAnw2iIH6
>         L5vdrsIjHrMmkqRVbs9nNyEAEQEAAbQ5SGFybGFuIFN0ZW5uIChOZXR3b3JrIFRpbWUgRm91
>         bmRhdGlvbikgPHN0ZW5uQG53dGltZS5vcmc+iQG5BBMBAgAjBQJSNsblAhsvBwsJCAcDAgEG
>         FQgCCQoLBBYCAwECHgECF4AACgkQyIwAt1pH+kBlzgv/QOg70vdj8wU/z97UPdlbxtN4THAB
>         gfSX4N0VPKT5fjX1tFhuXZQAOv7wedR3Trh7TGteyg33TBAFf9A42mXZKi1IxAiQG118Hd8I
>         51rXwnugURIYQaIyQI+vbchRbwVyz+mVLTI/h6FdbsVzT4UFmir+ZMkb/XeZPu0HItk4OZHE
>         6hk+TuTiCnlqlCPLq371fXV54VOb91WZYD8EQFtK02QHGHsQqWvapdphiDVpYehmsPyiTESq
>         NMKLVtjtyPkQ6S7QF3slSg+2q3j8lyxEA78Yl0MSFNU8B/BtKgzWP2itBOfi+rtUKg+jOY1V
>         /s2uVk2kq2QmHJ/s5k5ldy3qVvoTpxvwBe0+EoBocTHYt+xxp0mTM6YY1xLiQpLznzluqg9z
>         qtejX1gZOF4mgLiBIrhXzed3zsAazhTp5rNb1kn0brZFh6JC5Wk941eilnA4LqX8AWo0lmwo
>         eb+mpwZK/5lNdage/anpVqft9wJ/8EcvST9TLUO4fPrmT3d/0LpWuQGNBFI2xmQBDADXLsBk
>         I7CSa5UXlrNVFJQHER1VxRBKqjWWCh/8Qv9v3p3NrIc2UnhoZ1uWQ2voBGty5Xfy9k4afV5k
>         WwDyRDUIb7PX+Tj4HjVVr7qvnOVe/0KzZpNq0Azd0ggFbsM+8mydktHIwJykW0NUsGwPRYuD
>         OA0Lro0ohb5IiCt3sSQi1X1hYjo7O1Vmn8Gy/XYOnhnMux+5zDPO2yTkCNX5PocYi9IJJy6p
>         Mq1yQV4Y2Dl8KtQzvtq55vCUxx6n0MMzFViGwNW6F4ge9ItO4tDScsgowDrHa208ehwOpv/i
>         wjf93lCClQ6vaKmOBX872K/tdY/hwhxPPjgl1bcrOwMRYVemOPPehwnXH5bwclk1hvDQdkJQ
>         5pJOkE4VCryTF/iDAt4g2QnHocUwt3b6/ChUUWmj2GZ22OR12rbnCtLedwp0DpViKPUCQHBO
>         vpgXdzE/L9zWar9fqM0EREMgfWbsJc9028qluCcFLIN1gYsq4cC+YGAcOu7HOI5orBBV4m9j
>         XfsAEQEAAYkDPgQYAQIACQUCUjbGZAIbLgGpCRDIjAC3Wkf6QMDdIAQZAQIABgUCUjbGZAAK
>         CRDfCQ/G52/8P/uWDACe7OEM+VETDRqjQgAwzX+RjCVPvtgrqc1SExS0fV7i1mUUxr/B8io3
>         Y1cRHFoFKmedxf8prHZq316Md5u4egjFdTT6ZqEqkK0hvv+i0pRpCa5EX9VIStcJStomZp8F
>         cY34grA+EOWITaLQ4qNZUP7rf2e7gq1ubQTj7uLr6HZZvMZ5em+IvrOWEuWDI6yOiI6px04w
>         RDfkoR2h6kgdw4V0PT4NjK9WYYKrVCf1bjLlVImNBEcXfvlUTrIYO8y6ptvoUsBQky5pQRvP
>         99Pn42WfyLy50aII6+vyudD4T0yLjXAz4KteUttxtIte64m/F9/7GEIZAxTUcLyOq/7bP4le
>         h39jBckwc62iYzeK/VkU/bMMh2D68Z3QylMnhhcW27BcgQHPKsHhmFa2SNytYcuQiSdf9+pj
>         4i32ETz1nJAvYAAqgTF/0PL+8ZNQoEpe/n9woMKrlZrqD4EgFmhQ3bNVhlaXz1nuTZDrwPt1
>         yMxBuUNbCF4jFnaruwrSiGTRoIfUZQwAjQglahrV4/mcjfnvbNoseHX0PKd9q+wjg7MIjWqr
>         f2CI8Fa6MdanqwYphz43I2yXANKFZuMWsWqyQYlvGuPUlUUcAL3stp24RkzDB1Q+JS0IZJST
>         T2JSu0aTfUdWVNqr2UI19eX+zxbOTckSi3Ng14ezG8ZX194ZH10b8JzntQOwmA20pd5JDhug
>         zQfASER+CZDiPPcQ4mvC4y7rMrfV6XGQbDynC3ekDxo8SC5SvjaczXMwXg6SZ8iFtEWmEwW9
>         r7zPjjIPDrX8w5LXBgxArM5o/HbERpc2EdAvMh1D7LC0SvmoE7fBKxsicVBe4h6vXjEZ+LLr
>         /wuZiBld9OnxAUIpwptbBspO6WKTQYvgFH2OeDG27hiE5P4Xs4WSp5j9ez8OVB1iZnA2nCQ+
>         tNTjO8c+C/P92vPLx5+bpGRXTXMNaLh34PS3ZsYoUDkKZNhczRZUWJ7nynSbeeyF+QW7SLwA
>         qY7O7dyk9LFTsfJqRQJ7tWnIAjJPCwmSgQ8Kl0UJ
>         Message-ID: <f7f8449c-5440-334f-0e0c-e97628354e44 at nwtime.org
>         <mailto:f7f8449c-5440-334f-0e0c-e97628354e44 at nwtime.org>>
>         Date: Mon, 29 Apr 2019 03:43:58 -0700
>         User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0)
>         Gecko/20100101
>         Thunderbird/60.6.1
>         MIME-Version: 1.0
>         In-Reply-To: <2d2b3cfb-a8eb-f7aa-f832-ebcc33de8b5f at nwtime.org
>         <mailto:2d2b3cfb-a8eb-f7aa-f832-ebcc33de8b5f at nwtime.org>>
>         Content-Type: text/plain; charset=utf-8
>         Content-Language: en-US
>         Content-Transfer-Encoding: 8bit
>
>         Hi Marius,
>
>         Nobody told us about this one.
>
>         I'm not certain yet, but this seems completely bogus to me.
>
>         I'll loop in some wizards and see what I can find.
>
>         H
>
>         On 4/29/2019 3:35 AM, Harlan Stenn wrote:
>         > Hi Marius,
>         >
>         > On 4/29/2019 1:37 AM, Marius Rohde wrote:
>         >> Hi Harlan,
>         >>
>         >> we have seen that the problem with the standard port usage
>         is rated
>         >> critical in the CVE database.
>         >> Do you have more background information? Exists a known
>         exploit, that
>         >> is able to do a ntp path-off attack?
>         >
>         > Which bug corresponds to this CVE report?  I'm not seeing it
>         in any of
>         > our content.
>         >
>         > H
>         > --
>         >> Thank you in advance.
>         >>
>         >> Mit freundlichem Gruß / With kind regards *Marius Rohde*
>         >>
>         >> *MEINBERG Funkuhren GmbH & Co. KG*
>         >> Lange Wand 9
>         >> D-31812 Bad Pyrmont, Germany
>         >> Phone: +49 (0)5281 9309-485
>         >> Fax: +49 (0)5281 9309-230
>         >> Amtsgericht Hannover 17HRA 100322
>         >> Geschäftsführer: Günter Meinberg, Werner Meinberg, Andre
>         Hartmann,
>         >> Heiko Gerstung
>         >> Email: marius.rohde at meinberg.de
>         <mailto:marius.rohde at meinberg.de>
>         <http://marius.rohde@meinberg.de>
>         >> Internet: www.meinberg.de <http://www.meinberg.de>
>         <https://www.meinberg.de> /
>         >> www.meinbergglobal.com <http://www.meinbergglobal.com>
>         <https://www.meinbergglobal.com> /
>         >> www.meinberg.academy <https://www.meinberg.academy>
>         >>
>         >>
>         ---------------------------------------------------------------------
>         >> --- *MEINBERG - Solutions for Time and Frequency
>         Synchronization*
>         >>
>         >
>
>         --
>         Harlan Stenn, Network Time Foundation
>         http://nwtime.org - be a Member!
>         _______________________________________________
>         security mailing list
>         security at lists.ntp.org <mailto:security at lists.ntp.org>
>         http://lists.ntp.org/listinfo/security
>
>         _______________________________________________
>         security mailing list
>         security at lists.ntp.org <mailto:security at lists.ntp.org>
>         http://lists.ntp.org/listinfo/security
>
>
> _______________________________________________
> security mailing list
> security at lists.ntp.org
> http://lists.ntp.org/listinfo/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20190513/6892b8fb/attachment.html>


More information about the security mailing list