oss-sec mailing list archives
Several low impact ntp.org ntpd issues
From: Florian Weimer <fweimer () redhat com>
Date: Tue, 25 Aug 2015 11:24:01 +0200
Miroslav Lichvár found several low-impact security issues in our ntp branch, most of which have already been addressed upstream without noting their security impact. The first three issues require authentication. Considering the low impact and the availability of upstream fixes for most of the issues, we'd like to make the issues public as soon as possible, unless there are any objections. (Impact may be higher if ntpd runs with root privileges.) * CVE-2015-5194 https://bugzilla.redhat.com/show_bug.cgi?id=1254542 It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands, for example: ntpq -c ":config logconfig a" Upstream fix: <http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=4c4fc141LwvcoGp-lLGhkAFp3ZvtrA> <https://github.com/ntp-project/ntp/commit/553f2fa65865c31c5e3c48812cfd46176cffdd27> * CVE-2015-5195 https://bugzilla.redhat.com/show_bug.cgi?id=1254544 It was found that ntpd exits with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) is referenced by the statistics or filegen configuration command, for example: ntpq -c ':config statistics timingstats' ntpq -c ':config filegen timingstats' Upstream fix: <http://bk.ntp.org/ntp-dev/?PAGE=patch&REV=4d253ed0A400LyhRQIV0u23NJwuGAA> <https://github.com/ntp-project/ntp/commit/52e977d79a0c4ace997e5c74af429844da2f27be> * CVE-2015-5196 https://bugzilla.redhat.com/show_bug.cgi?id=1254547 It was found that the :config command can be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). For example: ntpq -c ':config pidfile /tmp/ntp.pid' ntpq -c ':config driftfile /tmp/ntp.drift' No upstream fix, but Miroslav wrote the attached patch. * CVE-2015-5219 https://bugzilla.redhat.com/show_bug.cgi?id=1255118 It was discovered that sntp would hang in an infinite loop when a crafted NTP packet was received, related to the conversion of the precision value in the packet to double. Upstream fix: http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=51786731Gr4-NOrTBC_a_uXO4wuGhg https://github.com/ntp-project/ntp/commit/5f295cd05c3c136d39f5b3e500a2d781bdbb59c8 (Reported to the distros list and upstream last week, no request for an embargo, hence public disclosure.) -- Florian Weimer / Red Hat Product Security
Attachment:
ntp-remotewrite.patch
Description:
Current thread:
- Several low impact ntp.org ntpd issues Florian Weimer (Aug 25)
- Re: Several low impact ntp.org ntpd issues Mark Felder (Aug 25)
- Re: Several low impact ntp.org ntpd issues Noel Kuntze (Aug 25)
- Re: Several low impact ntp.org ntpd issues Mark Felder (Aug 25)