Bugzilla – Bug 924202
VUL-0: CVE-2015-1798 CVE-2015-1799: two new ntp flaws
Last modified: 2019-08-22 14:41:13 UTC
bugbot adjusting priority
is pubklic now. http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities ntpd accepts unauthenticated packets with symmetric key crypto. References: Sec 2779 / CVE-2015-1798 / VU#374268 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not including ntp-4.2.8p2 where the installation uses symmetric keys to authenticate remote associations. CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 Summary: When ntpd is configured to use a symmetric key to authenticate a remote NTP server/peer, it checks if the NTP message authentication code (MAC) in received packets is valid, but not if there actually is any MAC included. Packets without a MAC are accepted as if they had a valid MAC. This allows a MITM attacker to send false packets that are accepted by the client/peer without having to know the symmetric key. The attacker needs to know the transmit timestamp of the client to match it in the forged reply and the false reply needs to reach the client before the genuine reply from the server. The attacker doesn't necessarily need to be relaying the packets between the client and the server. Authentication using autokey doesn't have this problem as there is a check that requires the key ID to be larger than NTP_MAXKEY, which fails for packets without a MAC. Mitigation: Upgrade to 4.2.8p2, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page Configure ntpd with enough time sources and monitor it properly. Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. Authentication doesn't protect symmetric associations against DoS attacks. References: Sec 2781 / CVE-2015-1799 / VU#374268 Affects: All NTP releases starting with at least xntp3.3wy up to but not including ntp-4.2.8p2 where the installation uses symmetric key authentication. CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 Note: the CVSS base Score for this issue could be 4.3 or lower, and it could be higher than 5.4. Date Resolved: Stable (4.2.8p2) 07 Apr 2015 Summary: An attacker knowing that NTP hosts A and B are peering with each other (symmetric association) can send a packet to host A with source address of B which will set the NTP state variables on A to the values sent by the attacker. Host A will then send on its next poll to B a packet with originate timestamp that doesn't match the transmit timestamp of B and the packet will be dropped. If the attacker does this periodically for both hosts, they won't be able to synchronize to each other. This is a known denial-of-service attack, described at https://www.eecis.udel.edu/~mills/onwire.html . According to the document the NTP authentication is supposed to protect symmetric associations against this attack, but that doesn't seem to be the case. The state variables are updated even when authentication fails and the peers are sending packets with originate timestamps that don't match the transmit timestamps on the receiving side. This seems to be a very old problem, dating back to at least xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) specifications, so other NTP implementations with support for symmetric associations and authentication may be vulnerable too. An update to the NTP RFC to correct this error is in-process. Mitigation: Upgrade to 4.2.8p2, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page Note that for users of autokey, this specific style of MITM attack is simply a long-known potential problem. Configure ntpd with appropriate time sources and monitor ntpd. Alert your staff if problems are detected. Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-04-14. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61425
Created attachment 630182 [details] ntp-rejectnoauth.patch ntp-rejectnoauth.patch from http://bugs.ntp.org/show_bug.cgi?id=2779 to fix CVE-2015-1798
Created attachment 630183 [details] ntp-avoid-dos.patch fix attached to http://bugs.ntp.org/show_bug.cgi?id=2781 for CVE-2015-1799
CVE-2015-1798 does not affect SLE11 SP3 and older, as it did checking differently.
Please add bug 928321
openSUSE-SU-2015:0775-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 924202 CVE References: CVE-2015-1798,CVE-2015-1799 Sources used: openSUSE 13.2 (src): ntp-4.2.6p5-25.12.1 openSUSE 13.1 (src): ntp-4.2.6p5-15.16.1
SUSE-SU-2015:0865-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 918342,924202,928321 CVE References: CVE-2015-1798,CVE-2015-1799,CVE-2015-3405 Sources used: SUSE Linux Enterprise Server 12 (src): ntp-4.2.6p5-44.1 SUSE Linux Enterprise Desktop 12 (src): ntp-4.2.6p5-44.1
Are the patches planned to be released for SLES11SP3 as well? Thank you
Reinhard, any progress with bsc#916584 so we can make sp3 updates for this one?
I would like to ask you whether you have had a chance to make any progress in order to release SP3 patches? Thank you
(In reply to Branislav Havel from comment #28) > I would like to ask you whether you have had a chance to make any progress > in order to release SP3 patches? We have not made progress, this is pending the engineering resolution to another issue. I have poked everyone involved to get to a go/no-go decision.
The issue blocking the update for bug 924202 and bug 928321 has been removed. An update will be issued for SUSE Linux Enterprise 11. Information about affected products updated on https://www.suse.com/security/cve/CVE-2015-1799.html https://www.suse.com/security/cve/CVE-2015-3405.html
SUSE-SU-2015:1173-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 924202,928321,935409 CVE References: CVE-2015-1799,CVE-2015-3405 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): ntp-4.2.4p8-1.29.36.1 SUSE Linux Enterprise Server 11 SP3 (src): ntp-4.2.4p8-1.29.36.1 SUSE Linux Enterprise Desktop 11 SP3 (src): ntp-4.2.4p8-1.29.36.1
I think we're done with this.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-10-30. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62313
*** Bug 957163 has been marked as a duplicate of this bug. ***
An update workflow for this issue was started. This issue was rated as "important". Please submit fixed packages until "Jan. 14, 2016". When done, reassign the bug to "security-team@suse.de". /update/121227/.
Now also submitted for SLE10.
sle10 still open, but close anyway
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2016-06-21. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62822
SUSE-SU-2016:1912-1: An update that solves 43 vulnerabilities and has 9 fixes is now available. Category: security (important) Bug References: 782060,784760,905885,910063,916617,920183,920238,920893,920895,920905,924202,926510,936327,943218,943221,944300,951351,951559,951629,952611,957226,962318,962784,962802,962960,962966,962970,962988,962995,963000,963002,975496,977450,977451,977452,977455,977457,977458,977459,977461,977464,979302,981422,982056,982064,982065,982066,982067,982068,988417,988558,988565 CVE References: CVE-2015-1798,CVE-2015-1799,CVE-2015-5194,CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8158,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519,CVE-2016-4953,CVE-2016-4954,CVE-2016-4955,CVE-2016-4956,CVE-2016-4957 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): ntp-4.2.8p8-0.7.1