Bug 1300654 – CVE-2015-8139 ntp: ntpq and ntpdc disclose origin timestamp to unauthenticated clients

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1300654 - (CVE-2015-8139) CVE-2015-8139 ntp: ntpq and ntpdc disclose origin timestamp to unauthenticated clients

Summary:	CVE-2015-8139 ntp: ntpq and ntpdc disclose origin timestamp to unauthenticate...

Status:	CLOSED WONTFIX

Aliases:	CVE-2015-8139

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20160120,repor...
Keywords:	Security

Depends On:	1300277 1342128
Blocks:	1297474
	Show dependency tree / graph

Reported:	2016-01-21 06:17 EST by Andrej Nemec
Modified:	2016-07-02 15:32 EDT (History)
CC List:	2 users (show)

See Also:
Fixed In Version:	ntp-4.2.8p6
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-01-21 08:33:45 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Andrej Nemec 2016-01-21 06:17:44 EST

To prevent off-path attackers from impersonating legitimate peers, clients require that the origin timestamp in a received response packet match the transmit timestamp from its last request to a given peer. Under assumption that only the recipient of the request packet will know the value of the transmit timestamp, this prevents an attacker from forging replies

Upstream bug report:

http://support.ntp.org/bin/view/Main/NtpBug2946

Comment 1 Martin Prpič 2016-01-21 06:26:14 EST

External References:

http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_p6_NTP_Security_Vul
http://www.talosintel.com/reports/TALOS-2016-0078/

Comment 2 Martin Prpič 2016-01-21 08:33:45 EST

Upstream has not released a fix for this issue and has opted for publishing a mitigation instead.

Mitigation:

This issue can be mitigated by one of the following methods: adding the noquery option to all restrict entries in ntp.conf, configuring ntpd to get time from multiple sources, or using a restriction list in your ntp.conf to limit who is allowed to issue ntpq and ntpdc queries. Note that ntpdc queries are disabled by default.

Comment 3 Fedora Update System 2016-06-18 14:47:20 EDT

ntp-4.2.6p5-41.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2016-07-02 15:26:42 EDT

ntp-4.2.6p5-41.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2016-07-02 15:32:30 EDT

ntp-4.2.6p5-41.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.