Bug 1176032 (CVE-2014-9293)
| Summary: | CVE-2014-9293 ntp: automatic generation of weak default key in config_auth() | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | carnil, fkrska, fweimer, john.haxby, jrusnack, mdshaikh, mjc, mlichvar, mpoole, ovasik, sardella, security-response-team, thozza, vkaigoro |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ntp 4.2.8 | Doc Type: | Bug Fix |
| Doc Text: |
It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-12-20 02:47:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1176067, 1176068, 1176069, 1176070, 1176100, 1176191, 1176680, 1182166 | ||
| Bug Blocks: | 1176041 | ||
|
Description
Huzaifa S. Sidhpurwala
2014-12-19 08:50:56 UTC
Upstream mentions the issue was fixed in 4.2.7p11. The following commit from between 4.2.7p10 and 4.2.7p11 seems to remove automatic auth key generation among other changes. Commit message does not mention removal of the code at all: http://bk1.ntp.org/ntp-dev/ntpd/ntp_config.c?PAGE=diffs&REV=4b6089c5KXhXqZqocF0DMXnQQsjOuw Upstream change to the NEWS file with details quoted in comment 0: http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=5493dc3dofY6drKJde9W-5O1M3s4eg Upstream bug: http://bugs.ntp.org/show_bug.cgi?id=2665 External References: https://access.redhat.com/articles/1305723 http://support.ntp.org/bin/view/Main/SecurityNotice#Weak_default_key_in_config_auth Created ntp tracking bugs for this issue: Affects: fedora-all [bug 1176191] This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:2025 https://rhn.redhat.com/errata/RHSA-2014-2025.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:2024 https://rhn.redhat.com/errata/RHSA-2014-2024.html ntp-4.2.6p5-19.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. ntp-4.2.6p5-25.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. ntp-4.2.6p5-13.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Blog post from the original reporter, which mentions how this issue can help with exploitation of other issue (CVE-2014-9295, bug 1176037): http://googleprojectzero.blogspot.com/2015/01/finding-and-exploiting-ntpd.html Mitigation:
Issue these commands to explicitly generate a strong key and add it to the
ntpd configuration:
echo trustedkey 65535 >> /etc/ntp.conf
printf "65535\tM\t%s\n" $(tr -cd a-zA-Z0-9 < /dev/urandom | head -c 16) >> /etc/ntp/keys
The generated key has about 95 bits of entropy.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only Via RHSA-2015:0104 https://rhn.redhat.com/errata/RHSA-2015-0104.html |