Bug 1199430 (CVE-2015-1798)

Summary: CVE-2015-1798 ntp: ntpd accepts unauthenticated packets with symmetric key crypto
Product: [Other] Security Response Reporter: Miroslav Lichvar <mlichvar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: anemec, carnil, ffutigam, jrusnack, juzou, mlichvar, moshiro, redhat-bugzilla, sardella, security-response-team, slawomir, tafinho, tfrazier, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that ntpd did not check whether a Message Authentication Code (MAC) was present in a received packet when ntpd was configured to use symmetric cryptographic keys. A man-in-the-middle attacker could use this flaw to send crafted packets that would be accepted by a client or a peer without the attacker knowing the symmetric key.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-20 05:34:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1209578, 1215935, 1221564, 1221565    
Bug Blocks: 1193283, 1200382, 1210268    

Description Miroslav Lichvar 2015-03-06 09:30:30 UTC 
When ntpd is configured to use a symmetric key with an NTP server/peer, it checks if the NTP message authentication code (MAC) in received packets is valid, but not if there actually is any MAC included. Packets without MAC are accepted as if they had a valid MAC. This allows a MITM attacker to send false packets that are accepted by the client/peer without having to know the symmetric key.

It seems this bug was introduced in 4.2.5p99 and is in all later stable versions up to 4.2.8p1. Authentication using autokey doesn't have this problem as there is a check that requires the key ID to be larger than NTP_MAXKEY, which fails for packets without MAC.
Comment 3 Martin Prpič 2015-03-10 12:47:31 UTC 
Acknowledgements:

This issue was discovered by Miroslav Lichvár of Red Hat.
Comment 7 Kurt Seifried 2015-04-07 16:56:44 UTC 
Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1209578]
Comment 8 Kurt Seifried 2015-04-08 16:00:49 UTC 
This issue was fixed upstream:

http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

The updated version is available at:

http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p2.tar.gz
Comment 14 Fedora Update System 2015-04-22 22:55:44 UTC 
ntp-4.2.6p5-22.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2015-04-22 22:56:00 UTC 
ntp-4.2.6p5-30.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2015-04-28 13:00:58 UTC 
ntp-4.2.6p5-30.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 errata-xmlrpc 2015-07-22 07:00:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1459 https://rhn.redhat.com/errata/RHSA-2015-1459.html
Comment 23 errata-xmlrpc 2015-11-19 08:38:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2231 https://rhn.redhat.com/errata/RHSA-2015-2231.html
Comment 24 Huzaifa S. Sidhpurwala 2015-11-20 05:34:11 UTC 
Statement:

This issue did not affect the version of ntp as shipped with Red Hat Enterprise Linux 5