Bugzilla – Bug 928321
VUL-0: CVE-2015-3405 ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems
Last modified: 2015-09-04 15:40:53 UTC
via oss-sec http://seclists.org/oss-sec/2015/q2/260 > * [Bug 2797] ntp-keygen trapped in endless loop for MD5 keys on big-endian machines. > https://bugs.ntp.org/show_bug.cgi?id=2797 > > Patch: http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=55199296N2gFqH1Hm5GOnhrk9Ypygg > > > While the endless loop is not a security flaw per se > > > The unstated rationale here seems to be "ntp-keygen is a command-line > program that is not normally exposed in a way that crosses privilege > boundaries." > > The documentation mentions: > > After setting up the environment it is advisable to update certificates > from time to time, if only to extend the validity interval. > Simply run > @code{ntp-keygen} > with the same flags as before to generate new certificates > > It seems plausible that some sites may have created a web interface so > that operations staff can occasionally do a certificate update (maybe > with a new key), but these staff don't have login access to the > machine running NTP. The flaw would give them the new ability to > (sometimes) launch a CPU consumption attack. However, we have not > actually heard of anyone with a web-based ntp-keygen arrangement, so > we currently don't want to assign a CVE ID for that. > > the fact that > ntp-keygen generates non-random keys is. If the lowest byte of the temp > variable happens to be between 0x20 and 0x7f and not #, the generated > MD5 key will consist of 20 identical characters, meaning only 93 > possible keys can be generated. > > > Use CVE-2015-3405 for this code error that results in a key space > that's much smaller than expected. References: http://seclists.org/oss-sec/2015/q2/260 https://bugzilla.redhat.com/show_bug.cgi?id=1210324 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3405
bugbot adjusting priority
SUSE-SU-2015:0865-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 918342,924202,928321 CVE References: CVE-2015-1798,CVE-2015-1799,CVE-2015-3405 Sources used: SUSE Linux Enterprise Server 12 (src): ntp-4.2.6p5-44.1 SUSE Linux Enterprise Desktop 12 (src): ntp-4.2.6p5-44.1
The issue blocking the update for bug 924202 and bug 928321 has been removed. An update will be issued for SUSE Linux Enterprise 11. Information about affected products updated on https://www.suse.com/security/cve/CVE-2015-1799.html https://www.suse.com/security/cve/CVE-2015-3405.html
Created attachment 638095 [details] Proposed patch for the problem raised in comment 11.
Yes, I would take both patches. Both look good to me.
Thanks, package submitted.
SUSE-SU-2015:1173-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 924202,928321,935409 CVE References: CVE-2015-1799,CVE-2015-3405 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): ntp-4.2.4p8-1.29.36.1 SUSE Linux Enterprise Server 11 SP3 (src): ntp-4.2.4p8-1.29.36.1 SUSE Linux Enterprise Desktop 11 SP3 (src): ntp-4.2.4p8-1.29.36.1
I think its done