Bugzilla – Bug 910764
VUL-0: CVE-2014-9295: ntp: VU#852879: remote buffer overflow and weak cryptography
Last modified: 2022-01-23 14:37:51 UTC
CRD: 2014.12.18 From CERT Greetings, This is to inform you of the imminent release of NTP Stable 4.2.8, an update addressing critical vulnerabilities in ntpd (Network Time Protocol). The vulnerabilities are planned to be made public when NTP 4.2.8 is released on late Thursday 2014-12-18, or soon thereafter. This is a significant update, please make preparations to update as soon as possible. After the update is made public, we will publish a Vulnerability Note at the following URL: <http://www.kb.cert.org/vuls/id/852879> Please keep information about the vulnerability confidential until the public release.
http://support.ntp.org/bin/view/Main/SecurityNotice Buffer overflow in crypto_recv() References: Sec 2667 / CVE-2014-9295 / VU#852879 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 Versions: All releases before 4.2.8 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf file contains a crypto pw ... directive) a remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. Mitigation: Upgrade to 4.2.8, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. Buffer overflow in ctl_putdata() References: Sec 2668 / CVE-2014-9295 / VU#852879 Versions: All NTP4 releases before 4.2.8 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. Mitigation: Upgrade to 4.2.8, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. Buffer overflow in configure() References: Sec 2669 / CVE-2014-9295 / VU#852879 Versions: All NTP4 releases before 4.2.8 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. Mitigation: Upgrade to 4.2.8, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. receive(): missing return on error References: Sec 2670 / CVE-2014-9296 / VU#852879 Versions: All NTP4 releases before 4.2.8 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: Code in ntp_proto.c:receive() is missing a return; in the code path where an error was detected, which meant processing did not stop when a specific rare error occurred. We haven't found a way for this bug to affect system integrity. If there is no way to affect system integrity the base CVSS score for this bug is 0. If there is one avenue through which system integrity can be partially affected, the base score becomes a 5. If system integrity can be partially affected via all three integrity metrics, the CVSS base score become 7.5. Mitigation: Upgrade to 4.2.8, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page or Remove or comment out all configuration directives beginning with the crypto keyword in your ntp.conf file. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team.
An update workflow for this issue was started. This issue was rated as critical. Please submit fixed packages until 2014-12-23. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60086
We need updates for the following SLE channles: SUSE:SLE-10-SP3:Update:Teradata (xntp) SUSE:SLE-10-SP4:Update (xntp) SUSE:SLE-11-SP1:Update (this is the base for SLE-11-SP2 and SLE-11-SP3) SUSE:SLE-12:Update And for all 3 openSUSE projects: openSUSE:12.3 openSUSE:13.1 openSUSE:13.2
This is an autogenerated message for OBS integration: This bug (910764) was mentioned in https://build.opensuse.org/request/show/265958 13.2+13.1+12.3 / ntp https://build.opensuse.org/request/show/265959 Factory / ntp
openSUSE-SU-2014:1670-1: An update that fixes two vulnerabilities is now available. Category: security (critical) Bug References: 910764 CVE References: CVE-2014-9295,CVE-2014-9296 Sources used: openSUSE 13.2 (src): ntp-4.2.6p5-25.5.1 openSUSE 13.1 (src): ntp-4.2.6p5-15.13.1 openSUSE 12.3 (src): ntp-4.2.6p5-9.14.1
openSUSE-SU-2014:1680-1: An update that fixes two vulnerabilities is now available. Category: security (critical) Bug References: 910764 CVE References: CVE-2014-9295,CVE-2014-9296 Sources used: openSUSE Evergreen 11.4 (src): ntp-4.2.6p3-6.28.1
An update workflow for this issue was started. This issue was rated as critical. Please submit fixed packages until 2014-12-24. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60103
SUSE-SU-2014:1686-1: An update that fixes one vulnerability is now available. Category: security (critical) Bug References: 910764 CVE References: CVE-2014-9295 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): ntp-4.2.4p8-1.28.1 SUSE Linux Enterprise Server 11 SP3 (src): ntp-4.2.4p8-1.28.1 SUSE Linux Enterprise Server 11 SP2 LTSS (src): ntp-4.2.4p8-1.28.1 SUSE Linux Enterprise Desktop 11 SP3 (src): ntp-4.2.4p8-1.28.1
SUSE-SU-2014:1690-1: An update that fixes two vulnerabilities is now available. Category: security (critical) Bug References: 910764 CVE References: CVE-2014-9295,CVE-2014-9296 Sources used: SUSE Linux Enterprise Server 12 (src): ntp-4.2.6p5-31.1 SUSE Linux Enterprise Desktop 12 (src): ntp-4.2.6p5-31.1
SUSE-SU-2014:1686-2: An update that fixes one vulnerability is now available. Category: security (critical) Bug References: 910764 CVE References: CVE-2014-9295 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): xntp-4.2.4p3-48.25.1
Our updates so far fixed the critical buffer overflow issues. The other security problems are less severe and will be fixed in a update in new year.
SUSE-SU-2014:1686-3: An update that fixes one vulnerability is now available. Category: security (critical) Bug References: 910764 CVE References: CVE-2014-9295 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): ntp-4.2.4p8-1.28.1
http://googleprojectzero.blogspot.de/2015/01/finding-and-exploiting-ntpd.html
L3:42168 is closed. Ya Dan Fan
*** Bug 912826 has been marked as a duplicate of this bug. ***
L3:42169 is closed. Ya Dan Fan
CVE-2014-9296 - the code is different in SLES 11 and older and contains correct error exits. So only SLES 12 was affected by CVE-2014-9296 and needed fixes. I posted a note to support.novell.com/security/cve/CVE-2014-9296.html
I finally got around to backport the fix for CVE-2014-9294 to SLE-11-SP1, but I have difficulties with the others, e.g. ntp-CVE-2014-9293.patch adds a call to MD5auth_setkey(), which dosen't seem to exist on SLE-11.
Do we have some impact analyze information for CVE-2014-9293, CVE-2014-9294?Huawei is keep on ask for it. as this two patch still do not release.
Another ntp is already in QA that contains fixes.
(In reply to Marcus Meissner from comment #73) > Another ntp is already in QA that contains fixes. when will ntp release ? Huawei keep asking me for these pacth.
(In reply to Jason Dian from comment #74) SLE 11 SP3 will be ready today, SLE 12 today or tomorrow.
(In reply to Johannes Segitz from comment #75) > Max, Please use either Reinhard or Mr. Max. ;) > is there a reason why CVE-2014-9293 and CVE-2014-9294 aren't fixed in > the xntp submit? ntp-4.2.4p3 in SLE-10-SP4 is not vulnerable, because it doesn't have the random key generation feature. And I guess it was an oversight that SLE-10-SP3-teradata contains the newer version 4.2.4p8, which is vulnerable. Will resubmit.
(In reply to Reinhard Max from comment #78) Thanks and sorry for the name confusion, Mr. Max ;)
(In reply to Reinhard Max from comment #78) > (In reply to Johannes Segitz from comment #75) > > Max, > > Please use either Reinhard or Mr. Max. ;) > > > is there a reason why CVE-2014-9293 and CVE-2014-9294 aren't fixed in > > the xntp submit? > > ntp-4.2.4p3 in SLE-10-SP4 is not vulnerable, because it doesn't have the > random key generation feature. > > And I guess it was an oversight that SLE-10-SP3-teradata contains the newer > version 4.2.4p8, which is vulnerable. Will resubmit. is sles10 not affected by cve-2014-9293 and cve-2014-9294 ?
SUSE-SU-2015:0259-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 910764,911792 CVE References: CVE-2014-9293,CVE-2014-9294,CVE-2014-9297,CVE-2014-9298 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): ntp-4.2.4p8-1.29.32.1 SUSE Linux Enterprise Server 11 SP3 (src): ntp-4.2.4p8-1.29.32.1 SUSE Linux Enterprise Desktop 11 SP3 (src): ntp-4.2.4p8-1.29.32.1
(In reply to Rui Hui Dian from comment #80) > (In reply to Reinhard Max from comment #78) > > (In reply to Johannes Segitz from comment #75) > > > Max, > > > > Please use either Reinhard or Mr. Max. ;) > > > > > is there a reason why CVE-2014-9293 and CVE-2014-9294 aren't fixed in > > > the xntp submit? > > > > ntp-4.2.4p3 in SLE-10-SP4 is not vulnerable, because it doesn't have the > > random key generation feature. > > > > And I guess it was an oversight that SLE-10-SP3-teradata contains the newer > > version 4.2.4p8, which is vulnerable. Will resubmit. > > is sles10 not affected by cve-2014-9293 and cve-2014-9294 ? As I wrote above: SLE-10-SP4 is not affected, SLE-10-SP3-teradata is.
(In reply to Reinhard Max from comment #78) Thanks for the submit, but then I need a separate one for SLE 10 SP4 with only the two other CVEs fixed. Thanks.
(In reply to Reinhard Max from comment #82) > (In reply to Rui Hui Dian from comment #80) > > (In reply to Reinhard Max from comment #78) > > > (In reply to Johannes Segitz from comment #75) > > > > Max, > > > > > > Please use either Reinhard or Mr. Max. ;) > > > > > > > is there a reason why CVE-2014-9293 and CVE-2014-9294 aren't fixed in > > > > the xntp submit? > > > > > > ntp-4.2.4p3 in SLE-10-SP4 is not vulnerable, because it doesn't have the > > > random key generation feature. > > > > > > And I guess it was an oversight that SLE-10-SP3-teradata contains the newer > > > version 4.2.4p8, which is vulnerable. Will resubmit. > > > > is sles10 not affected by cve-2014-9293 and cve-2014-9294 ? > > As I wrote above: SLE-10-SP4 is not affected, SLE-10-SP3-teradata is. thanks, and I also want to know if sles10-sp3, sles10-sp2, and sles10-sp1 are affacted by CVE-2014-9293, and CVE-2014-9294
(In reply to Johannes Segitz from comment #83) > Thanks for the submit, but then I need a separate one for SLE 10 SP4 with > only the two other CVEs fixed. Thanks. OK, but I can't do that before tomorrow, because I am on vacation today. (In reply to Jason Dian from comment #84) > thanks, and I also want to know if sles10-sp3, sles10-sp2, and sles10-sp1 > are affacted by CVE-2014-9293, and CVE-2014-9294 I haven't checked, because to my knowledge they are out of maintenance. But you can check it yourself: If the (x)ntp version is smaller or equal to SP4 they are not affected, if it is equal or higher than SP3-teradata, they are affected. If it is in between, the code needs to be inspected.
(In reply to Reinhard Max from comment #85) That isn't a problem, QA is busy anyway. Have a nice FTO.
SUSE-SU-2015:0274-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 910764,911792 CVE References: CVE-2014-9293,CVE-2014-9294,CVE-2014-9297,CVE-2014-9298 Sources used: SUSE Linux Enterprise Server 12 (src): ntp-4.2.6p5-37.2 SUSE Linux Enterprise Desktop 12 (src): ntp-4.2.6p5-37.2
SUSE-SU-2015:0259-2: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 910764,911792 CVE References: CVE-2014-9293,CVE-2014-9294,CVE-2014-9297,CVE-2014-9298 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): ntp-4.2.4p8-1.29.32.1
https://build.suse.de/request/show/51332
SUSE-SU-2015:0259-3: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 910764,911792 CVE References: CVE-2014-9293,CVE-2014-9294,CVE-2014-9297,CVE-2014-9298 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): ntp-4.2.4p8-1.29.32.1
L3:42265 is closed. Ya Dan Fan
all done
L3 is closed. Ya Dan Fan