1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.FREEBSD.ANN

  • [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-20:09.ntp

    From FreeBSD Security Advisories@21:1/5 to All on Thu Mar 19 18:00:04 2020
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    ============================================================================= FreeBSD-SA-20:09.ntp Security Advisory
    The FreeBSD Project

    Topic: Multiple denial of service in ntpd

    Category: contrib
    Module: ntp
    Announced: 2020-03-19
    Credits: Philippe Antoine and Miroslav Lichvar
    Affects: All supported versions of FreeBSD.
    Corrected: 2020-03-04 23:54:13 UTC (stable/12, 12.1-STABLE)
    2020-03-19 16:52:41 UTC (releng/12.1, 12.1-RELEASE-p3)
    2020-03-05 00:18:09 UTC (stable/11, 11.3-STABLE)
    2020-03-19 16:52:41 UTC (releng/11.3, 11.3-RELEASE-p7)

    For general information regarding FreeBSD Security Advisories,
    including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>.

    I. Background

    The ntpd(8) daemon is an implementation of the Network Time Protocol
    (NTP) used to synchronize the time of a computer system to a reference
    time source.

    II. Problem Description

    Three NTP vulnerabilities are addressed by this security advisory.

    NTP Bug 3610: Process_control() should exit earlier on short packets.
    On systems that override the default and enable ntpdc (mode 7), fuzz testing detected a short packet will cause ntpd to read uninitialized data.

    NTP Bug 3596: Due to highly predictable transmit timestamps, an unauthenticated, unmonitored ntpd is vulnerable to attack over IPv4. A victim ntpd configured to receive time from an unauthenticated time source is vulnerable to an off-path attacker with permission to query the victim. The attacker must send from a spoofed IPv4 address of an upstream NTP server and the victim must process a large number of packets with that spoofed IPv4 address. After eight or more successful attacks in a row, the attacker can either modify the victim's clock by a small amount or cause ntpd to
    terminate. The attack is especially effective when unusually short poll intervals have been configured.

    NTP Bug 3592: The fix for https://bugs.ntp.org/3445 introduced a bug such
    that an ntpd can be prevented from initiating a time volley to its peer resulting in a DoS.

    III. Impact

    All three NTP bugs may result in DoS or terimation of the ntp daemon.

    IV. Workaround

    Systems not using ntpd(8) are not vulnerable.

    Systems running ntpd should make the following changes:
    - - Disable mode 7
    - - Use many trustworthy sources of time
    - - Use NTP packet authentication
    - - Monitor ntpd for error messages indicating attack
    - - If only unauthenticated time over IPv4 is available, use the restrict
    configuration directive

    V. Solution

    Upgrade your vulnerable system to a supported FreeBSD stable or
    release / security branch (releng) dated after the correction date.

    Perform one of the following:

    1) To update your vulnerable system via a binary patch:

    Systems running a RELEASE version of FreeBSD on the i386 or amd64
    platforms can be updated via the freebsd-update(8) utility:

    # freebsd-update fetch
    # freebsd-update install

    2) To update your vulnerable system via a source code patch:

    The following patches have been verified to apply to the applicable
    FreeBSD release branches.

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility.

    [FreeBSD 12.1-STABLE]
    # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.patch
    # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.patch.asc
    # gpg --verify ntp.12.patch.asc

    [FreeBSD 12.1-RELEASE]
    # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.1.patch
    # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.1.patch.asc
    # gpg --verify ntp.12.1.patch.asc

    [FreeBSD 11.3-STABLE]
    # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.patch
    # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.patch.asc
    # gpg --verify ntp.11.patch.asc

    [FreeBSD 11.3-RELEASE]
    # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.3.patch
    # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.3.patch.asc
    # gpg --verify ntp.11.3.patch.asc

    b) Apply the patch. Execute the following commands as root:

    # cd /usr/src
    # patch < /path/to/patch

    c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

    Restart the applicable daemons, or reboot the system.

    VI. Correction details

    The following list contains the correction revision numbers for each
    affected branch.

    Branch/path Revision
    - ------------------------------------------------------------------------- stable/12/ r358659 releng/12.1/ r359144 stable/11/ r358660 releng/11.3/ r359144
    - -------------------------------------------------------------------------

    To see which files were modified by a particular revision, run the
    following command, replacing NNNNNN with the revision number, on a
    machine with Subversion installed:

    # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

    Or visit the following URL, replacing NNNNNN with the revision number:

    <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

    VII. References

    <URL:http://support.ntp.org/bin/view/Main/SecurityNotice#March_2020_ntp_4_2_8p14_NTP_Rele>

    The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:09.ntp.asc> -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIoaA//V8fG/ugFkS6ASluls3rsww0gxoVH65HM7SDiPC814cl8ck2DUSMO7lzA jPAmsLPdrhGrJ7lTndUxuZ5hf0YeI/CgccTWYoPgiZjfXoeHS2ydQVVpM9j2ByNo KgwqEnRxLaIRBg3+zf7sT/IenC+ivHbPDxrmW4y7ehUQO/fZ3AcXjcAw6PPCzGlp pN8Jml04uUuD/Nb92IzWGKvLPsL27slWAHG6nPPw0onzqaZqNhFf1UUDK9qvZRNB 2pHO+aJPfRq2kUk2DvfcB4kTGB1jbHJBBRNA1ns2xrtdKKIBnwSBatN/SBznhPuF nxGN/Y0k8EYJdVOHaoyqSlG31jatAd/TaA9+1JauxB7/29c65JHyAfddtZKY64vl DVnfDus+fcxg9D5FI7/O9qUeMZ/S1Ix683BzUPYhCDksC+VP28mqCHMBYRdKrc1m ysnnER8Tli+Zbenn88202+lJAaAI3gKygdzKRQg5FgXWqWi84G1WPs+c8dihpovV ZG5AqS1gJuwlP72x/g8by7BT140PZIEYaR5Qm7uIlfNTQxNBDmDkCF54wrhAFQWY XZrOLiOsVJdn6mX9WfPh7kxd59nAjGuy5fKwWF22g5vQsGCGoBHsqZTKPiA+WxVu Ngqq+8zUMkcTXP7NE3aT+4HDTXi/WRwiEKTGd8zGm5J8bEHXi9I=
    =Q4Yq
    -----END PGP SIGNATURE-----
    _______________________________________________
    freebsd-announce@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-announce
    To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)