Bug 1300654 (CVE-2015-8139) - CVE-2015-8139 ntp: ntpq and ntpdc disclose origin timestamp to unauthenticated clients
Summary: CVE-2015-8139 ntp: ntpq and ntpdc disclose origin timestamp to unauthenticate...
Status: CLOSED WONTFIX
Alias: CVE-2015-8139
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160120,repor...
Keywords: Security
Depends On: 1300277 1342128
Blocks: 1297474
TreeView+ depends on / blocked
 
Reported: 2016-01-21 11:17 UTC by Andrej Nemec
Modified: 2016-07-02 19:32 UTC (History)
2 users (show)

Fixed In Version: ntp-4.2.8p6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-21 13:33:45 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Andrej Nemec 2016-01-21 11:17:44 UTC
To prevent off-path attackers from impersonating legitimate peers, clients require that the origin timestamp in a received response packet match the transmit timestamp from its last request to a given peer. Under assumption that only the recipient of the request packet will know the value of the transmit timestamp, this prevents an attacker from forging replies

Upstream bug report:

http://support.ntp.org/bin/view/Main/NtpBug2946

Comment 2 Martin Prpič 2016-01-21 13:33:45 UTC
Upstream has not released a fix for this issue and has opted for publishing a mitigation instead.

Mitigation:

This issue can be mitigated by one of the following methods: adding the noquery option to all restrict entries in ntp.conf, configuring ntpd to get time from multiple sources, or using a restriction list in your ntp.conf to limit who is allowed to issue ntpq and ntpdc queries. Note that ntpdc queries are disabled by default.

Comment 3 Fedora Update System 2016-06-18 18:47:20 UTC
ntp-4.2.6p5-41.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2016-07-02 19:26:42 UTC
ntp-4.2.6p5-41.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2016-07-02 19:32:30 UTC
ntp-4.2.6p5-41.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.