Bug 1686605 (CVE-2019-8936)

Summary: CVE-2019-8936 ntp: Crafted null dereference attack in authenticated mode 6 packet
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, bmcclain, dbaker, dblechte, dfediuck, eedri, jokerman, linville, mgoldboi, michal.skrivanek, mlichvar, sbonazzo, sherold, sthangav, trankin, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ntp 4.2.8p13 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-11 10:17:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1686606    
Bug Blocks: 1686608    

Description Pedro Sampaio 2019-03-07 20:01:11 UTC 
A flaw was found in ntp before version 4.2.8p13. An authenticated attacker can cause ntpd to sigsegv by triggering a NULL pointer exception.

Upstream issue:

http://bugs.ntp.org/show_bug.cgi?id=3565

Upstream patch:

http://bk.ntp.org/ntp-stable/ntpd/ntp_control.c?PAGE=diffs&REV=5c8106e7wWtXdh0lzg1ytlWribBTcQ

References:

https://gitlab.com/NTPsec/ntpsec/issues/509
Comment 1 Pedro Sampaio 2019-03-07 20:01:29 UTC 
Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1686606]
Comment 2 Stefan Cornelius 2019-03-08 16:22:32 UTC 
Although the RHEL7 version is missing the NULL checks added in this patch, it does not crash with the POC provided. It seems like this was introduced in later versions due to changes in the ctl_getitem() function in ntpd/ntp_control.c, which are not yet part of the RHEL7 version.
Comment 4 Stefan Cornelius 2019-03-11 10:17:55 UTC 
Statement:

This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, and 7.
Comment 5 Fedora Update System 2019-04-07 00:01:01 UTC 
ntp-4.2.8p13-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2019-04-07 01:47:12 UTC 
ntp-4.2.8p13-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2019-04-07 04:19:34 UTC 
ntp-4.2.8p13-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.