Bug 1300268 - (CVE-2015-7976) CVE-2015-7976 ntp: 'ntpq saveconfig' command allows dangerous characters in filenames
CVE-2015-7976 ntp: 'ntpq saveconfig' command allows dangerous characters in f...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20160120,reported=2...
: Security
Depends On: 1300277
Blocks: 1297474
  Show dependency treegraph
 
Reported: 2016-01-20 06:42 EST by Martin Prpič
Modified: 2016-02-12 09:55 EST (History)
2 users (show)

See Also:
Fixed In Version: ntp 4.2.8p6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-20 09:34:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Prpič 2016-01-20 06:42:08 EST
The ntpq saveconfig command does not do adequate filtering of special characters from the supplied filename. Note: the ability to use the saveconfig command is controlled by the 'restrict nomodify' directive, and the recommended default configuration is to disable this capability. If the ability to execute a 'saveconfig' is required, it can easily (and should) be limited and restricted to a known small number of IP addresses.

Upstream patches:

https://github.com/ntp-project/ntp/commit/3680c2e4d5f88905ce062c7b43305d610a2c9796
https://github.com/ntp-project/ntp/commit/7fe04606062ed674db3b9553d32dedad29504d61
Comment 2 Martin Prpič 2016-01-20 07:01:52 EST
Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1300277]
Comment 3 Martin Prpič 2016-01-20 09:34:52 EST
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 4 Martin Prpič 2016-02-01 03:50:30 EST
Mitigation:

Use the 'restrict default nomodify' directive in ntp.conf to disable modification of ntp.conf via the ntpq command.

Note You need to log in before you can comment on or make changes to this bug.