Bug 1176037 (CVE-2014-9295)
| Summary: | CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | carnil, fkrska, fweimer, john.haxby, jrusnack, mlichvar, ovasik, sardella, security-response-team, thozza, todoleza, vkaigoro |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ntp 4.2.8 | Doc Type: | Bug Fix |
| Doc Text: |
Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-12-20 02:45:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1176067, 1176068, 1176069, 1176070, 1176100, 1176191, 1176680, 1180650 | ||
| Bug Blocks: | 1176041 | ||
|
Description
Huzaifa S. Sidhpurwala
2014-12-19 09:05:47 UTC
Upstream change to the NEWS file with details quoted in comment 0: http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=5493dc3dofY6drKJde9W-5O1M3s4eg * Buffer overflow in crypto_recv() Upstream bug: http://bugs.ntp.org/show_bug.cgi?id=2667 Upstream commit: http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acc4dN1TbM1tRJrbPcA4yc1aTdA * Buffer overflow in ctl_putdata() Upstream bug: http://bugs.ntp.org/show_bug.cgi?id=2668 Upstream commit: http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acdf3tUSFizXcv_X4b77Jt_Y-cg * Buffer overflow in configure() Upstream bug: http://bugs.ntp.org/show_bug.cgi?id=2669 Upstream commit: http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acf55dxKfhb6MuYQwzu8eDlS97g External References: https://access.redhat.com/articles/1305723 http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_crypto_recv There are three issues described by CVE-2014-9295. * Buffer overflow in crypto_recv() This is an issue when Autokey Authentication is enabled, which it is not by default. As this is a non default setting we rate this issue as having Important impact. * Buffer overflow in ctl_putdata() This issue is a problem if you allow control messages from untrusted hosts. By default these messages are allowed from localhost only. As this is a non default setting we rate this issue as having Important impact. * Buffer overflow in configure() Our analysis has shown this issue would be a denial of service and not allow remote code execution. The overflow is a single null byte in the data segment and will overwrite part of a local file descriptor variable, which will not result in code execution. As this is a denial of service we rate this issue as having Important impact. Created ntp tracking bugs for this issue: Affects: fedora-all [bug 1176191] Also note that the privileges yielded by the ntp user are quite limited (ntpd only has the net_bind_service and sys_time capabilities). This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:2025 https://rhn.redhat.com/errata/RHSA-2014-2025.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:2024 https://rhn.redhat.com/errata/RHSA-2014-2024.html Statement: (none) ntp-4.2.6p5-19.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Mitigation:
Add these lines (included by default starting with Red Hat Enterprise Linux 5) to the configuration file /etc/ntp.conf:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
This restricts server-type functionality to localhost. If ntpd needs to perform time service for specific hosts and networks, you have to list them with suitable restrict statements.
ntp-4.2.6p5-25.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. ntp-4.2.6p5-13.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Blog post about this issue from the original reporter: http://googleprojectzero.blogspot.com/2015/01/finding-and-exploiting-ntpd.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only Via RHSA-2015:0104 https://rhn.redhat.com/errata/RHSA-2015-0104.html Test. |