The TEST2 check of the originate timestamp in received packets, which requires the timestamp to match the value of the peer->aorg variable and which is supposed to be random to prevent spoofing attacks has been found to be faulty. When ntpd receives a reply, it clears the peer->aorg variable to prevent a replay attack. This makes the value known to the attacker and a spoofed packet with a zero originate timestamp will pass the TEST2. This means an off-path attacker can disrupt the synchronization with KoD packets, similar to CVE-2015-7704, or they can push arbitrary offset/delay measurements to the client, taking full control over the clock or cause ntpd to exit with an offset larger than the panic threshold.
Upstream commit: https://github.com/ntp-project/ntp/commit/880191b72409a1965712999d248d70e6f7163af8
External References: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit http://www.talosintel.com/reports/TALOS-2016-0077/
Created ntp tracking bugs for this issue: Affects: fedora-all [bug 1300277]
Statement: This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5 as they do not include the affected code, which was introduced in version 4.2.6 of NTP.
The upstream fix for this issue is reported to be incomplete: http://bugs.ntp.org/show_bug.cgi?id=2945#c7 http://lists.ntp.org/pipermail/hackers/2016-January/007406.html
(In reply to Martin Prpic from comment #8) > The upstream fix for this issue is reported to be incomplete: > > http://bugs.ntp.org/show_bug.cgi?id=2945#c7 > http://lists.ntp.org/pipermail/hackers/2016-January/007406.html Clarification: The patch proposed by upstream has been found not address the CVE-2015-8138 issue because it doesn't apply with a fix that was applied for a different issue. The problematic upstream merge is: https://github.com/ntp-project/ntp/commit/5e16a06fa7dea9fcbfc1b2fc3cba0d2629171e80#diff-3b84eda3a15fdd99dcf77a2d85423721L1331 Red Hat has not included the patch to fix the previous issue and used a slightly modified version of the upstream patch to fix CVE-2015-8138.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:0063 https://rhn.redhat.com/errata/RHSA-2016-0063.html
ntp-4.2.6p5-36.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
ntp-4.2.6p5-36.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.