ID

VAR-201412-0612

CVE

CVE-2014-9296

TITLE

NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated)

DESCRIPTION

The receive function in ntp_proto.c in ntpd in NTP before 4.2.8 continues to execute after detecting a certain authentication error, which might allow remote attackers to trigger an unintended association change via crafted packets. The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client. Supplementary information : CWE Vulnerability type by CWE-17: Code ( code ) Has been identified. http://cwe.mitre.org/data/definitions/17.htmlA third party can trigger unintentional association changes through crafted packets. Network Time Protocol is prone to an unspecified security vulnerability. Little is known about this issue or its effects at this time. We will update this BID as more information emerges. Network Time Protocol 4.2.7 is vulnerable; other versions may also be affected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: ntp security update Advisory ID: RHSA-2015:0104-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0104.html Issue date: 2015-01-28 CVE Names: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 ===================================================================== 1. Summary: Updated ntp packages that fix several security issues are now available for Red Hat Enterprise Linux 6.5 Extended Update Support. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.5) - noarch, x86_64 Red Hat Enterprise Linux HPC Node EUS (v. 6.5) - x86_64 Red Hat Enterprise Linux Server EUS (v. 6.5) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.5) - i386, noarch, ppc64, s390x, x86_64 3. Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. Note: the crypto_recv() flaw requires non-default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. (CVE-2014-9295) It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. (CVE-2014-9293) It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note: it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys. (CVE-2014-9294) A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism. (CVE-2014-9296) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1176032 - CVE-2014-9293 ntp: automatic generation of weak default key in config_auth() 1176035 - CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys 1176037 - CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets 1176040 - CVE-2014-9296 ntp: receive() missing return on error 6. Package List: Red Hat Enterprise Linux HPC Node EUS (v. 6.5): Source: ntp-4.2.6p5-2.el6_5.src.rpm x86_64: ntp-4.2.6p5-2.el6_5.x86_64.rpm ntp-debuginfo-4.2.6p5-2.el6_5.x86_64.rpm ntpdate-4.2.6p5-2.el6_5.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.5): Source: ntp-4.2.6p5-2.el6_5.src.rpm noarch: ntp-doc-4.2.6p5-2.el6_5.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-2.el6_5.x86_64.rpm ntp-perl-4.2.6p5-2.el6_5.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.5): Source: ntp-4.2.6p5-2.el6_5.src.rpm i386: ntp-4.2.6p5-2.el6_5.i686.rpm ntp-debuginfo-4.2.6p5-2.el6_5.i686.rpm ntpdate-4.2.6p5-2.el6_5.i686.rpm ppc64: ntp-4.2.6p5-2.el6_5.ppc64.rpm ntp-debuginfo-4.2.6p5-2.el6_5.ppc64.rpm ntpdate-4.2.6p5-2.el6_5.ppc64.rpm s390x: ntp-4.2.6p5-2.el6_5.s390x.rpm ntp-debuginfo-4.2.6p5-2.el6_5.s390x.rpm ntpdate-4.2.6p5-2.el6_5.s390x.rpm x86_64: ntp-4.2.6p5-2.el6_5.x86_64.rpm ntp-debuginfo-4.2.6p5-2.el6_5.x86_64.rpm ntpdate-4.2.6p5-2.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.5): Source: ntp-4.2.6p5-2.el6_5.src.rpm i386: ntp-debuginfo-4.2.6p5-2.el6_5.i686.rpm ntp-perl-4.2.6p5-2.el6_5.i686.rpm noarch: ntp-doc-4.2.6p5-2.el6_5.noarch.rpm ppc64: ntp-debuginfo-4.2.6p5-2.el6_5.ppc64.rpm ntp-perl-4.2.6p5-2.el6_5.ppc64.rpm s390x: ntp-debuginfo-4.2.6p5-2.el6_5.s390x.rpm ntp-perl-4.2.6p5-2.el6_5.s390x.rpm x86_64: ntp-debuginfo-4.2.6p5-2.el6_5.x86_64.rpm ntp-perl-4.2.6p5-2.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-9293 https://access.redhat.com/security/cve/CVE-2014-9294 https://access.redhat.com/security/cve/CVE-2014-9295 https://access.redhat.com/security/cve/CVE-2014-9296 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUyTXWXlSAg2UNWIIRAsXzAKCilJuJeeWLOABs1xY+ueRvRTSpWACcDhoC YQlhn66RRMYQCWymo1OCUoI= =4Rft -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . The two patches are available from the HP Support Center (HPSC). http://h20565.www2.hp.com/portal/site/hpsc? A new B.11.31 depot for HP-UX-NTP_C.4.2.6.5.0 is available here: https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber =HPUX-NTP The B.11.31 image HP-UX-NTP_C.4.2.6.5.0 The B.11.23 patch PHNE_44236 for NTP v3.5 The B.11.11 patch PHNE_44235 for NTP v3.5 Mitigation steps for HP-UX B.11.23 and HP-UX B.11.11 for CVE-2014-9295 Restrict query for server status (Time Service is not affected) from ntpq/ntpdc by enabling noquery using the restrict command in /etc/ntp.conf file. Reference: http://support.ntp.org/bin/view/Main/SecurityNotice MANUAL ACTIONS: Yes - Update If patch installation on B.11.11 or B.11.23 is not possible, mitigate with step above. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 ================== InternetSrvcs.INETSVCS-BOOT action: install PHNE_44235 or subsequent HP-UX B.11.23 ================== InternetSrvcs.INETSVCS2-BOOT action: install PHNE_44236 or subsequent HP-UX B.11.31 ================== NTP.INETSVCS2-BOOT NTP.NTP-AUX NTP.NTP-RUN action: install revision C.4.2.6.5.0 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 18 February 2015 Initial release Version:2 (rev.2) - 8 April 2015 Added B.11.23 and B.11.11 patches Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. On December 19, 2014, NTP.org and US-CERT released security advisories detailing two issues regarding weak cryptographic pseudorandom number generation (PRNG), three buffer overflow vulnerabilities, and an unhandled error condition with an unknown impact. Cisco will release free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker (CVE-2014-9296). Stephen Roettger of the Google Security Team, Sebastian Krahmer of the SUSE Security Team and Harlan Stenn of Network Time Foundation discovered that the length value in extension fields is not properly validated in several code paths in ntp_crypto.c, which could lead to information leakage or denial of service (CVE-2014-9297). Stephen Roettger of the Google Security Team reported that ACLs based on IPv6 ::1 (localhost) addresses can be bypassed (CVE-2014-9298). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9298 http://advisories.mageia.org/MGASA-2014-0541.html http://advisories.mageia.org/MGASA-2015-0063.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: 8f7d14b95c55bd1de7230cff0c8ea9d7 mbs2/x86_64/ntp-4.2.6p5-16.1.mbs2.x86_64.rpm 09063ab11459b1f935809b37c742ff12 mbs2/x86_64/ntp-client-4.2.6p5-16.1.mbs2.x86_64.rpm 7a0d0eca35911d9f15b76b474c5512cf mbs2/x86_64/ntp-doc-4.2.6p5-16.1.mbs2.noarch.rpm cb0371050702950084ff633ea45c2c5c mbs2/SRPMS/ntp-4.2.6p5-16.1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVF9K3mqjQ0CJFipgRAn26AJwInkxLvDh/Gbb3uYRz9IjuaSK8+ACgiM1Z rou2syvF1hyhVhxh7M5sv3c= =uncU -----END PGP SIGNATURE----- . Attackers could use this key to reconfigure ntpd (or to exploit other vulnerabilities). The default ntpd configuration in Debian restricts access to localhost (and possible the adjacent network in case of IPv6). For the stable distribution (wheezy), these problems have been fixed in version 1:4.2.6.p5+dfsg-2+deb7u1. References: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 CVE-2013-5211 SSRT102239 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Platform Patch Kit Name Alpha IA64 V8.4 75-117-380_2015-08-24.BCK NOTE: Please contact OpenVMS Technical Support to request these patch kits. ============================================================================ Ubuntu Security Notice USN-2449-1 December 22, 2014 ntp vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS Summary: Several security issues were fixed in NTP. The default compiler options for affected releases should reduce the vulnerability to a denial of service. In addition, attackers would be isolated by the NTP AppArmor profile. (CVE-2014-9295) Stephen Roettger discovered that NTP incorrectly continued processing when handling certain errors. (CVE-2014-9296) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.10: ntp 1:4.2.6.p5+dfsg-3ubuntu2.14.10.1 Ubuntu 14.04 LTS: ntp 1:4.2.6.p5+dfsg-3ubuntu2.14.04.1 Ubuntu 12.04 LTS: ntp 1:4.2.6.p3+dfsg-1ubuntu3.2 Ubuntu 10.04 LTS: ntp 1:4.2.4p8+dfsg-1ubuntu2.2 After a standard system update you need to regenerate any MD5 keys that were manually created with ntp-keygen. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04582466 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04582466 Version: 1 HPSBGN03277 rev.1 - HP Virtualization Performance Viewer, Remote Execution of Code, Denial of Service (DoS) and Other Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-03-06 Last Updated: 2015-03-06 Potential Security Impact: Remote execution of code, Denial of Service (DoS), and other vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with the NTP service that is present on HP Virtualization Performance Viewer (vPV). These could be exploited remotely to execute code, create a Denial of Service (DoS), and other vulnerabilities. References: CVE-2014-9293 - Insufficient Entropy in Pseudo-Random Number Generator (PRNG) (CWE-332) CVE-2014-9294 - Use of Cryptographically Weak PRNG (CWE-338) CVE-2014-9295 - Stack Buffer Overflow (CWE-121) CVE-2014-9296 - Error Conditions, Return Values, Status Codes (CWE-389) SSRT101957 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Virtualization Performance Viewer v2.10, v2.01, v2.0, v1.X BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-9293 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2014-9294 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2014-9295 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2014-9296 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following information to mitigate the impact of these vulnerabilities. https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea rch/document/KM01411809?/ HISTORY Version:1 (rev.1) - 6 March 2015 Initial release Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security- alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG &jumpid=in_SC- GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

code problem

CONFIGURATIONS

PATCH

EXTERNAL IDS