Bugzilla – Bug 911792
VUL-0: CVE-2014-9297, CVE-2014-9298, CVE-2014-9750, CVE-2014-9751: ntpd: insufficient patches for crypto_recv()
Last modified: 2018-12-16 07:45:00 UTC
Inside crypto_recv() function which recently received a patch for a buffer overflow there are more issues to fix. My initial report to upstream: [...] I was reviewing your patches for the recent buffer overflow issue via RSA decrypting inside crypto_recv(). I wonder that other switch cases handling network input have not been checked for similar issues? For example the case CRYPTO_CERT | CRYPTO_RESP: [...] if ((xinfo = cert_install(ep, peer)) == NULL) { rval = XEVNT_CRT; break; } case which in turn then calls inside cert_install(): if ((cp = cert_parse((u_char *)ep->pkt, (long)ntohl(ep->vallen), (tstamp_t)ntohl(ep->fstamp))) == NULL) return (NULL); right away. That looks very much like a OOB read with a len value provided by the network packet? ep->pkt is whats just been received and it looks like theres no sanitation before. So this then calls into internal openssl functions, providing hazardous len values resulting in a crash of ntpd (OOB read will eventually SIGSEGV). Is this a single-packet DoS? regards Sebastian
Upstream confirmed and seems to be preparing updates for even more issues.
Is there anything to do for me now or will we wait for upstream?
Upstream told me they will release a bugfix version 4.2.8p1 next week. We did not receive a patch yet. We'll update bug as soon as there is something to fix.
CRD: 2015-01-14
Patch requested, once again.
Please submit, I want to have this checked in and in QA ASAP. Thanks.
Submitted to SUSE:SLE-11-SP1:Update:Test and SUSE:SLE-12:Update. Anything else?
(In reply to Reinhard Max from comment #26) Thanks. Not right now, but tomorrow we need openSUSE submits.
The CVEs are now assigned: CWE-332: Insufficient Entropy in PRNG - CVE-2014-9293 If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated. CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) - CVE-2014-9294 ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys. CWE-121: Stack Buffer Overflow - CVE-2014-9295 A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process. CWE-389: Error Conditions, Return Values, Status Codes - CVE-2014-9296 A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker. The NTP Project provides more information about these issues in their security advisory. The NTP Project implementation is widely used in operating system distributions and network products. These vulnerabilities affect ntpd acting as a server or client. CERT/CC is not aware of any public exploit of these vulnerabilities at this time. The CVSS score below is based on the buffer overflow vulnerabilities (CVE-2014-9295).
CVSS score: Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P Temporal 5.9 E:POC/RL:OF/RC:C Environmental 5.9 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND
That's the old CVEs we were already handling in bnc#910764.
(In reply to Reinhard Max from comment #33) Sorry, screwed up the CVEs on copying from the mail. Its 1) NTP Bug 2672 - CVE-2014-9298 2) NTP Bug 2671 - CVE-2014-9297 so bug 2672 is CVE-2014-9298, not CVE-2014-9297. Besides that the submits are already in QA so I won't be able to accept them. We must fix this on the next ntpd issue. (mid-air collision ...)
(In reply to Johannes Segitz from comment #35) > (In reply to Reinhard Max from comment #33) > Sorry, screwed up the CVEs on copying from the mail. Its > 1) NTP Bug 2672 - CVE-2014-9298 > 2) NTP Bug 2671 - CVE-2014-9297 > > so bug 2672 is CVE-2014-9298, not CVE-2014-9297. Thanks. > Besides that the submits are already in QA so I won't be able to accept > them. This is just a file rename and no code change, so I don't think it will invalidate QA. I never meant the update to be released with the XXXX in the file name. I only made the submission so that QA can already start testing while we are waiting for the actual CVE numbers. BTW, we still haven't answered the question I brought up in comment 20 whether the IPv6 issue applies to SLE11 and SLE12. The fix is not in my submission, but I accidentially mentioned it in the changes file. > We must fix this on the next ntpd issue. Well, I hope there is not going to be one any time soon. ;)
IMHO something like this is missing in the upstream patch. Otherwise it only compares attacker provided length values against each other (len, vallen) which ends up to OOB access again. I will tell upstream. --- ntp_crypto.c.orig 2015-02-04 12:13:07.164124176 +0100 +++ ntp_crypto.c 2015-02-04 12:20:22.105686658 +0100 @@ -435,6 +435,7 @@ int rval = XEVNT_OK; const u_char *puch; u_int32 temp32; + u_char *end_pkt = NULL; /* * Initialize. Note that the packet has already been checked for @@ -448,6 +449,7 @@ */ authlen = LEN_PKT_NOMAC; hismode = (int)PKT_MODE((&rbufp->recv_pkt)->li_vn_mode); + end_pkt = rbufp->recv_buffer + rbufp->recv_length; while ((has_mac = rbufp->recv_length - authlen) > (int)MAX_MAC_LEN) { pkt = (u_int32 *)&rbufp->recv_pkt + authlen / 4; ep = (struct exten *)pkt; @@ -456,6 +458,9 @@ // HMS: Why pkt[1] instead of ep->associd ? associd = (associd_t)ntohl(pkt[1]); rval = XEVNT_OK; + + if (rbufp->recv_buffer + len > end_pkt) + return XEVNT_LEN; #ifdef DEBUG if (debug) printf(
public: http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
This is an autogenerated message for OBS integration: This bug (911792) was mentioned in https://build.opensuse.org/request/show/284080 13.2+13.1 / ntp
Created attachment 622098 [details] ntp-CVE-2014-9298.patch This is the ntpd/ntp_io.c diff between 4.2.8 and 4.2.8p1, it seems all related to the ::1 spoofing issue.
Created attachment 622099 [details] ntp-CVE-2014-9297.patch for completeness this is the 4.2.8 - 4.2.8p1 ntpd/ntp_crypto.c patch
Created attachment 622395 [details] Fix for bug2672 aka CVE-2014-9298 patch to fix bug2672 aka CVE-2014-9298.
Previous patch (https://bugzilla.suse.com/attachment.cgi?id=622395) was for sle11-sp1. That should now contain all patches.
Created attachment 622398 [details] Fix for bug2672 aka CVE-2014-9298 SLE12 Fix for bug2672 aka CVE-2014-9298 for SLE12
Done for SLE12 and SLE11-SP1.
SUSE-SU-2015:0259-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 910764,911792 CVE References: CVE-2014-9293,CVE-2014-9294,CVE-2014-9297,CVE-2014-9298 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): ntp-4.2.4p8-1.29.32.1 SUSE Linux Enterprise Server 11 SP3 (src): ntp-4.2.4p8-1.29.32.1 SUSE Linux Enterprise Desktop 11 SP3 (src): ntp-4.2.4p8-1.29.32.1
SUSE-SU-2015:0274-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 910764,911792 CVE References: CVE-2014-9293,CVE-2014-9294,CVE-2014-9297,CVE-2014-9298 Sources used: SUSE Linux Enterprise Server 12 (src): ntp-4.2.6p5-37.2 SUSE Linux Enterprise Desktop 12 (src): ntp-4.2.6p5-37.2
I believe we can close this L3 incident as maintenance updates are released. Any objections?
SUSE-SU-2015:0259-2: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 910764,911792 CVE References: CVE-2014-9293,CVE-2014-9294,CVE-2014-9297,CVE-2014-9298 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): ntp-4.2.4p8-1.29.32.1
SUSE-SU-2015:0259-3: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 910764,911792 CVE References: CVE-2014-9293,CVE-2014-9294,CVE-2014-9297,CVE-2014-9298 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): ntp-4.2.4p8-1.29.32.1
SUSE-SU-2015:0322-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 911792 CVE References: CVE-2014-9293,CVE-2014-9294,CVE-2014-9297,CVE-2014-9298 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): xntp-4.2.4p3-48.27.1
all released done I think
*** Bug 948963 has been marked as a duplicate of this bug. ***
We also fixed CVE-2014-9750 with this update but didn't add the CVE to the changes file. @Reinhard: Can you please amend the changes file so that we get this fixed with the next regular update?
CVE-2014-9297: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-9750, CVE-2014-9751. Reason: this ID was intended for one issue, but was associated with two issues. Notes: All CVE users should consult CVE-2014-9750 and CVE-2014-9751 to identify the ID or IDs of interest. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2014-9298: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-9750, CVE-2014-9751. Reason: this ID was intended for one issue, but was associated with two issues. Notes: All CVE users should consult CVE-2014-9750 and CVE-2014-9751 to identify the ID or IDs of interest. All references and descriptions in this candidate have been removed to prevent accidental usage.
rfeleased