[RHSA-2015:2231-04] Moderate: ntp security, bug fix, and enhancement update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: ntp security, bug fix, and enhancement update

Advisory ID: RHSA-2015:2231-04

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2231.html

Issue date: 2015-11-19

CVE Names: CVE-2014-9297 CVE-2014-9298 CVE-2014-9750

CVE-2014-9751 CVE-2015-1798 CVE-2015-1799

CVE-2015-3405

=====================================================================

 

1. Summary:

 

Updated ntp packages that fix multiple security issues, several bugs, and

add various enhancements are now available for Red Hat Enterprise Linux 7.

 

Red Hat Product Security has rated this update as having Moderate security

impact. Common Vulnerability Scoring System (CVSS) base scores, which give

detailed severity ratings, are available for each vulnerability from the

CVE links in the References section.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux Client (v. 7) - x86_64

Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64

Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64

Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

 

3. Description:

 

The Network Time Protocol (NTP) is used to synchronize a computer's time

with another referenced time source. These packages include the ntpd

service which continuously adjusts system time and utilities used to query

and configure the ntpd service.

 

It was found that because NTP's access control was based on a source IP

address, an attacker could bypass source IP restrictions and send

malicious control and configuration packets by spoofing ::1 addresses.

(CVE-2014-9298, CVE-2014-9751)

 

A denial of service flaw was found in the way NTP hosts that were peering

with each other authenticated themselves before up[censored] their internal

state variables. An attacker could send packets to one peer host, which

could cascade to other peers, and stop the synchronization process among

the reached peers. (CVE-2015-1799)

 

A flaw was found in the way the ntp-keygen utility generated MD5 symmetric

keys on big-endian systems. An attacker could possibly use this flaw to

guess generated MD5 keys, which could then be used to spoof an NTP client

or server. (CVE-2015-3405)

 

A stack-based buffer overflow was found in the way the NTP autokey protocol

was implemented. When an NTP client decrypted a secret received from an NTP

server, it could cause that client to crash. (CVE-2014-9297, CVE-2014-9750)

 

It was found that ntpd did not check whether a Message Authentication Code

(MAC) was present in a received packet when ntpd was configured to use

symmetric cryptographic keys. A man-in-the-middle attacker could use this

flaw to send crafted packets that would be accepted by a client or a peer

without the attacker knowing the symmetric key. (CVE-2015-1798)

 

The CVE-2015-1798 and CVE-2015-1799 issues were discovered by Miroslav

Lichvár of Red Hat.

 

Bug fixes:

 

* The ntpd service truncated symmetric keys specified in the key file to 20

bytes. As a consequence, it was impossible to configure NTP authentication

to work with peers that use longer keys. With this update, the maximum key

length has been changed to 32 bytes. (BZ#1191111)

 

* The ntpd service could previously join multicast groups only when

starting, which caused problems if ntpd was started during system boot

before network was configured. With this update, ntpd attempts to join

multicast groups every time network configuration is changed. (BZ#1207014)

 

* Previously, the ntp-keygen utility used the exponent of 3 when generating

RSA keys. Consequently, generating RSA keys failed when FIPS mode was

enabled. With this update, ntp-keygen has been modified to use the exponent

of 65537, and generating keys in FIPS mode now works as expected.

(BZ#1191116)

 

* The ntpd service dropped incoming NTP packets if their source port was

lower than 123 (the NTP port). With this update, ntpd no longer checks the

source port number, and clients behind NAT are now able to correctly

synchronize with the server. (BZ#1171640)

 

Enhancements:

 

* This update adds support for configurable Differentiated Services Code

Points (DSCP) in NTP packets, simplifying configuration in large networks

where different NTP implementations or versions are using different DSCP

values. (BZ#1202828)

 

* This update adds the ability to configure separate clock stepping

thresholds for each direction (backward and forward). Use the "stepback"

and "stepfwd" options to configure each threshold. (BZ#1193154)

 

* Support for nanosecond resolution has been added to the Structural

Health Monitoring (SHM) reference clock. Prior to this update, when a

Precision Time Protocol (PTP) hardware clock was used as a time source to

synchronize the system clock, the accuracy of the synchronization was

limited due to the microsecond resolution of the SHM protocol. The

nanosecond extension in the SHM protocol now allows sub-microsecond

synchronization of the system clock. (BZ#1117702)

 

All ntp users are advised to upgrade to these updated packages, which

contain backported patches to correct these issues and add these

enhancements.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

For details on how to apply this update, refer to:

 

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1117702 - SHM refclock doesn't support nanosecond resolution

1122012 - SHM refclock allows only two units with owner-only access

1171640 - NTP drops requests when sourceport is below 123

1180721 - ntp: mreadvar command crash in ntpq

1184572 - CVE-2014-9298 CVE-2014-9751 ntp: drop packets with source address ::1

1184573 - CVE-2014-9297 CVE-2014-9750 ntp: vallen in extension fields are not validated

1191108 - ntpd should warn when monitoring facility can't be disabled due to restrict configuration

1191122 - ntpd -x steps clock on leap second

1193154 - permit differential fwd/back threshold for step vs. slew [PATCH]

1199430 - CVE-2015-1798 ntp: ntpd accepts unauthenticated packets with symmetric key crypto

1199435 - CVE-2015-1799 ntp: authentication doesn't protect symmetric associations against DoS attacks

1210324 - CVE-2015-3405 ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems

 

6. Package List:

 

Red Hat Enterprise Linux Client (v. 7):

 

Source:

ntp-4.2.6p5-22.el7.src.rpm

 

x86_64:

ntp-4.2.6p5-22.el7.x86_64.rpm

ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm

ntpdate-4.2.6p5-22.el7.x86_64.rpm

 

Red Hat Enterprise Linux Client Optional (v. 7):

 

noarch:

ntp-doc-4.2.6p5-22.el7.noarch.rpm

ntp-perl-4.2.6p5-22.el7.noarch.rpm

 

x86_64:

ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm

sntp-4.2.6p5-22.el7.x86_64.rpm

 

Red Hat Enterprise Linux ComputeNode (v. 7):

 

Source:

ntp-4.2.6p5-22.el7.src.rpm

 

x86_64:

ntp-4.2.6p5-22.el7.x86_64.rpm

ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm

ntpdate-4.2.6p5-22.el7.x86_64.rpm

 

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

 

noarch:

ntp-doc-4.2.6p5-22.el7.noarch.rpm

ntp-perl-4.2.6p5-22.el7.noarch.rpm

 

x86_64:

ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm

sntp-4.2.6p5-22.el7.x86_64.rpm

 

Red Hat Enterprise Linux Server (v. 7):

 

Source:

ntp-4.2.6p5-22.el7.src.rpm

 

aarch64:

ntp-4.2.6p5-22.el7.aarch64.rpm

ntp-debuginfo-4.2.6p5-22.el7.aarch64.rpm

ntpdate-4.2.6p5-22.el7.aarch64.rpm

 

ppc64:

ntp-4.2.6p5-22.el7.ppc64.rpm

ntp-debuginfo-4.2.6p5-22.el7.ppc64.rpm

ntpdate-4.2.6p5-22.el7.ppc64.rpm

 

ppc64le:

ntp-4.2.6p5-22.el7.ppc64le.rpm

ntp-debuginfo-4.2.6p5-22.el7.ppc64le.rpm

ntpdate-4.2.6p5-22.el7.ppc64le.rpm

 

s390x:

ntp-4.2.6p5-22.el7.s390x.rpm

ntp-debuginfo-4.2.6p5-22.el7.s390x.rpm

ntpdate-4.2.6p5-22.el7.s390x.rpm

 

x86_64:

ntp-4.2.6p5-22.el7.x86_64.rpm

ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm

ntpdate-4.2.6p5-22.el7.x86_64.rpm

 

Red Hat Enterprise Linux Server Optional (v. 7):

 

aarch64:

ntp-debuginfo-4.2.6p5-22.el7.aarch64.rpm

sntp-4.2.6p5-22.el7.aarch64.rpm

 

noarch:

ntp-doc-4.2.6p5-22.el7.noarch.rpm

ntp-perl-4.2.6p5-22.el7.noarch.rpm

 

ppc64:

ntp-debuginfo-4.2.6p5-22.el7.ppc64.rpm

sntp-4.2.6p5-22.el7.ppc64.rpm

 

ppc64le:

ntp-debuginfo-4.2.6p5-22.el7.ppc64le.rpm

sntp-4.2.6p5-22.el7.ppc64le.rpm

 

s390x:

ntp-debuginfo-4.2.6p5-22.el7.s390x.rpm

sntp-4.2.6p5-22.el7.s390x.rpm

 

x86_64:

ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm

sntp-4.2.6p5-22.el7.x86_64.rpm

 

Red Hat Enterprise Linux Workstation (v. 7):

 

Source:

ntp-4.2.6p5-22.el7.src.rpm

 

x86_64:

ntp-4.2.6p5-22.el7.x86_64.rpm

ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm

ntpdate-4.2.6p5-22.el7.x86_64.rpm

 

Red Hat Enterprise Linux Workstation Optional (v. 7):

 

noarch:

ntp-doc-4.2.6p5-22.el7.noarch.rpm

ntp-perl-4.2.6p5-22.el7.noarch.rpm

 

x86_64:

ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm

sntp-4.2.6p5-22.el7.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2014-9297

https://access.redhat.com/security/cve/CVE-2014-9298

https://access.redhat.com/security/cve/CVE-2014-9750

https://access.redhat.com/security/cve/CVE-2014-9751

https://access.redhat.com/security/cve/CVE-2015-1798

https://access.redhat.com/security/cve/CVE-2015-1799

https://access.redhat.com/security/cve/CVE-2015-3405

https://access.redhat.com/security/updates/classification/#moderate

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2015 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD4DBQFWTkFJXlSAg2UNWIIRAphzAKCRHDVdHI5OvJ8glkXYLBwyQgeyvwCYmTV3

1hLTu5I/PUzWOnD8rRIlZQ==

=sWdG

-----END PGP SIGNATURE-----

 

--