Bug 1300651 (CVE-2015-8140)

Summary: CVE-2015-8140 ntp: ntpq protocol vulnerable to replay attacks
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mlichvar, sardella
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ntp-4.2.8p6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-21 11:50:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1300277    
Bug Blocks: 1297474    

Description Andrej Nemec 2016-01-21 11:08:24 UTC 
The ntpq protocol is vulnerable to replay attacks. The sequence number being included under the signature fails to prevent replay attacks for two reasons. Commands that don't require authentication can be used to move the sequence number forward, and NTP doesn't actually care what sequence number is used so a packet can be replayed at any time. If, for example, an attacker can intercept authenticated reconfiguration commands that would. for example, tell ntpd to connect with a server that turns out to be malicious and a subsequent reconfiguration directive removed that malicious server, the attacker could replay the configuration command to re-establish an association to malicious server.

Upstream bug report:

http://support.ntp.org/bin/view/Main/NtpBug2947
Comment 1 Martin Prpič 2016-01-21 11:25:19 UTC 
External References:

http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
http://www.talosintel.com/reports/TALOS-2016-0079/
Comment 2 Martin Prpič 2016-01-21 11:50:02 UTC 
Upstream has not released a fix for this issue and has opted for publishing a mitigation instead.

Mitigation:

This issue can be mitigated by one of the following methods: disabling ntpq in ntp.conf, configuring ntpd to get time from multiple sources, or using a restriction list in your ntp.conf to limit who is allowed to issue ntpq queries.