BSDSec

deadsimple BSD Security Advisories and Announcements

NetBSD Security Advisory 2016-001: Multiple vulnerabilities in ntp daemon

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2016-001
		=================================

Topic:		Multiple vulnerabilities in ntp daemon


Version:	NetBSD-current:		source prior to Fri, Oct 23 2015
		NetBSD 7.0:		affected
		NetBSD 6.1 - 6.1.5:	affected
		NetBSD 6.0 - 6.0.6:	affected

Severity:	Local DoS / Kernel execution redirection

Fixed:		NetBSD-current:		Fri, Oct 23 2015
		NetBSD-7-0 branch:	Sat, Nov 7 2015
		NetBSD-6-1 branch:	Sat, Nov 7 2015
		NetBSD-6-0 branch:	Sat, Nov 7 2015
		NetBSD-6 branch:	Sat, Nov 7 2015

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 6.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

Several bugs were fixed in the ntp-4.8.4p4 release that affect the
daemon operation and can be remotely exploited:

   - crash the daemon
   - perform code injection
   - change time
   - overwrite files
   - consume excessive CPU and/or disk space

Technical Details
=================

1. Remote Configuration Attacks

   If ntpd(8) is configured to allow remote configuration, and if
   the (possibly spoofed) source IP address is allowed to send
   remote configuration requests, and if the attacker knows the
   remote configuration password or if ntpd(8) was configured to
   disable authentication, then an attacker can can send a set of
   packets to ntpd(8) that may cause it to:

	   - Memory corruption, with the hypothetical possibility of
	     a code injection.
	     [CVE-2015-7854], [CVE-2015-7849]

	   - Overwrite files.
	     [CVE-2015-7851]

	   - Crash and/or create a potentially huge log file.
	     Specifically, the attacker could enable extended
	     logging, point the key file at the log file, and cause
	     what amounts to an infinite loop.
	     [CVE-2015-7850]

	   - Overwrite other files. In particular possible for an
	     attacker to use the "pidfile" or "driftfile" directives
	     to potentially overwrite other files.
	     [CVE-2015-5196]

   The default configuration of ntpd(8) within NetBSD does not
   allow remote configuration.

2. Autokey issues

   If ntpd(8) is configured to use autokey, then an attacker can
   send packets to ntpd that will, after several days of ongoing
   attack, cause it to run out of memory.
   [CVE-2015-7701]

   The fix for CVE-2014-9750 was incomplete in that there were
   certain code paths where a packet with particular autokey
   operations that contained malicious data was not always being
   completely validated.  Receipt of these packets can cause ntpd
   to crash.
   [CVE-2015-7691, CVE-2015-7692, CVE-2015-7702].

   The default configuration of ntpd(8) within NetBSD does not use
   autokey.

3. Crypto-NAK packets

   Crypto-NAK packets can be used to cause ntpd(8) to accept time
   from an unauthenticated ephemeral symmetric peer by bypassing
   the authentication required to mobilize peer associations.
   [CVE-2015-7871]

4. Crafted mode 6 and 7 packets

   If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing
   an unusually long data value where a network address is expected,
   the decodenetnum() function will abort with an assertion failure
   instead of simply returning a failure condition.
   [CVE-2015-7855]

   If ntpd(8) is configured to enable mode 7 packets, and if the
   use of mode 7 packets is not properly protected through the use
   of the available mode 7 authentication and restriction mechanisms,
   and if the (possibly spoofed) source IP address is allowed to
   send mode 7 queries, then an attacker can send a crafted packet
   to ntpd that will cause it to crash.
   [CVE-2015-7848]

   The default configuration of ntpd(8) within NetBSD does not
   allow mode 7 packets.

5. Custom refclock driver incomplete data validation

   A negative value for the datalen parameter will overflow a data
   buffer. The NTF ntpd(8) driver implementation always sets this
   value to 0 and are therefore not vulnerable to this weakness.
   If the system runs a custom refclock driver in ntpd(8) and that
   driver supplies a negative value for datalen (no custom driver
   of even minimal competence would do this), then ntpd(8) would
   overflow the data buffer. It is even hypothetically possible in
   this case that instead of simply crashing ntpd(8), the attacker
   could effect a code injection attack.
   [CVE-2015-7853]

6. ntpq(8) potential memory corruption

   If an attacker can figure out the precise moment that ntpq(8)
   is listening for data and the port number on which it is listening,
   or if the attacker can provide a malicious instance ntpd(8) that
   victims will connect to, then an attacker can send a set of
   crafted mode 6 response packets that, if received by ntpq(8),
   can cause ntpq(8) to crash.
   [CVE-2015-7852]

7. Kiss Of Death packet issues

   An ntpd(8) client that honors Kiss-of-Death responses will honor
   Kiss-of-Death messages that have been forged by an attacker,
   causing it to delay or stop querying its servers for time updates.
   Also, an attacker can forge packets that claim to be from the
   target and send them to servers often enough that a server that
   implements Kiss-of-Death rate limiting will send the target
   machine a Kiss-of-Death response to attempt to reduce the rate
   of incoming packets, or it may also trigger a firewall block at
   the server for packets from the target machine. For either of
   these attacks to succeed, the attacker must know what servers
   the target is communicating with. An attacker can be anywhere
   on the Internet and can frequently learn the identity of the
   time source of a target by sending the target a time query.
   [CVE-2015-7704, CVE-2015-7705]

Solutions and Workarounds
=========================

- - Upgrade your system to a NetBSD release that contains that patches,
  and restart your ntpd(8).
- - Limit access to only trusted hosts via a packet filter.
- - Compile and use the ntp package from pkgsrc

Thanks To
=========

Thanks to the NTP developers for correcting these issues.
Matthew Van Gundy of Cisco ASIG for reporting CVE-2015-7871.
Yves Younan, Aleksander Nikolich of Cisco Talos for reporting
	CVE-2015-7852, CVE-2015-7854.
Yves Younan fo Cisco Talos for reporting CVE-2015-7849,
	CVE-2015-7850, CVE-2015-7853
Aleksandar Nikolic of Cisco Talos for reporting CVE-2015-7848.
Tenable for reporting CVE-2015-7691, CVE-2015-7692,
	CVE-2015-7701, CVE-2015-7702.
Red Hat for reporting CVE-2015-7703.
Aanchal Malhotra, Isaac E. Cohen, Erik Brakke, Sharon Goldberg
	of Boston University for reporting CVE-2015-7704,
	CVE-2015-7705.
John D "Doug" Birdwell of IDA.org for reporting CVE-2015-7855.

Revision History
================

	2016-04-16	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2015-XXX.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2015, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXElfrAAoJEAZJc6xMSnBuBy4P/346icNh2NsJEOiHuFpyG7sy
StpW6EN9LdOrgUWeHSfBCPtzmFVDBCOBP93l6qb7CmT2vrTJ/HnVUTnVJuVklKGa
vh5qMHy1p33EkZW2vVk9GhQ3biFcKisN4QIi/sSa2YCPZkrPByqr/BkjZ6tEnrk6
5hV367A/bOtIyFIIiNFwjEHj9kkXS3CNxshg9ZAxDnxWtrzd7IQLrrqE+neAm96x
vwAdwt9MuiFCvjUV4JuZ+7B1HRSUOSJhIkeXtJMaQNoMa02giYJvxLKFpSK07L16
c0N1G60Da4hFvx0nJR/sNxUsVIlX2Yja+eFyBduX+lnXXxQUTH7fM3vMXhAyS0Im
fylB2/lZDlGZXTEQg4n7Rj8Vj9WvGLDphj/j8oHygV65MaXTK0D0LrbXhzfB0fGN
czmQoerlvcpElaMhBWTxq03F1JE/W5Z9vnC8j8VTg4TF6o2xI89wJZNmoKXXvuHv
+DEccPzVBE65Pt7a1VebPQUN7/g0BA77viWHP97CRvAz7JJ8c6qXqF02daYwvYNi
HICksXiouDUiHihgw2Ek+1d6a+MbQ7WH08l6Fh/1q4NacANP9F9LEQLX3SvcAVFq
yAI5vpjY6Py0VGOh/ISKXQX1cJdFGVlgdgOvMFR4d/d4ZWq+L+f/8nV0KfZGKknE
iKcY6kiOmw7P4dPI9ZOs
=ce0s
-----END PGP SIGNATURE-----