Bug 1011404 (CVE-2016-7429)

Summary: VUL-0: CVE-2016-7429: ntp: Attack on interface selection
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: matthias.gerstner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:RedHat:CVE-2016-7429:2.6:(AV:N/AC:H/Au:N/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2016-7429:1.0:(AV:L/AC:H/Au:S/C:N/I:N/A:P) maint:released:sle10-sp3:63240 CVSSv2:NVD:CVE-2016-7429:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) maint:released:oes11-sp2:63262 CVSSv3:NVD:CVE-2016-7429:3.7:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVSSv3:RedHat:CVE-2016-7429:3.7:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1011421    

Description Matthias Gerstner 2016-11-21 16:54:44 UTC 
Summary: When ntpd receives a server response on a socket that corresponds to a different interface than was used for the request, the peer structure is updated to use the interface for new requests. If ntpd is running on a host with multiple interfaces in separate networks and the operating system doesn't check source address in received packets (e.g. rp_filter on Linux is set to 0), an attacker that knows the address of the source can send a packet with spoofed source address which will cause ntpd to select wrong interface for the source and prevent it from sending new requests until the list of interfaces is refreshed, which happens on routing changes or every 5 minutes by default. If the attack is repeated often enough (once per second), ntpd will not be able to synchronize with the source.

Mitigation:

- Implement BCP-38.
- Upgrade to 4.2.8p9, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page
- If you are going to configure your OS to disable source address checks, also configure your firewall configuration to control what interfaces can receive packets from what networks.
- Properly monitor your ntpd instances, and auto-restart ntpd (without -g) if it stops running.

Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
Comment 1 Matthias Gerstner 2016-11-21 17:30:50 UTC 
http://support.ntp.org/bin/view/Main/NtpBug3072
Comment 2 Swamp Workflow Management 2016-11-21 23:02:16 UTC 
bugbot adjusting priority
Comment 3 Swamp Workflow Management 2016-11-24 15:30:33 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-12-08.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63222
Comment 4 Reinhard Max 2016-11-24 15:55:22 UTC 
Packages submitted.
Comment 6 Swamp Workflow Management 2016-12-19 20:08:20 UTC 
SUSE-SU-2016:3193-1: An update that solves 12 vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1009434,1011377,1011390,1011395,1011398,1011404,1011406,1011411,1011417,943216,956365,981252,988028,992038,992606
CVE References: CVE-2015-5219,CVE-2015-8139,CVE-2015-8140,CVE-2016-7426,CVE-2016-7427,CVE-2016-7428,CVE-2016-7429,CVE-2016-7431,CVE-2016-7433,CVE-2016-7434,CVE-2016-9310,CVE-2016-9311
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    ntp-4.2.8p9-57.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ntp-4.2.8p9-57.2
Comment 7 Swamp Workflow Management 2016-12-19 20:11:33 UTC 
SUSE-SU-2016:3195-1: An update that solves 10 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1009434,1011377,1011390,1011395,1011398,1011404,1011406,1011411,1011417,943216,956365,981252,988028,992038,992606
CVE References: CVE-2015-5219,CVE-2016-7426,CVE-2016-7427,CVE-2016-7428,CVE-2016-7429,CVE-2016-7431,CVE-2016-7433,CVE-2016-7434,CVE-2016-9310,CVE-2016-9311
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ntp-4.2.8p9-55.1
SUSE Linux Enterprise Server 12-SP2 (src):    ntp-4.2.8p9-55.1
SUSE Linux Enterprise Server 12-SP1 (src):    ntp-4.2.8p9-55.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ntp-4.2.8p9-55.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ntp-4.2.8p9-55.1
Comment 8 Swamp Workflow Management 2016-12-19 20:14:03 UTC 
SUSE-SU-2016:3196-1: An update that solves 10 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1009434,1011377,1011390,1011395,1011398,1011404,1011406,1011411,1011417,943216,956365,981252,988028,992038,992606
CVE References: CVE-2015-5219,CVE-2016-7426,CVE-2016-7427,CVE-2016-7428,CVE-2016-7429,CVE-2016-7431,CVE-2016-7433,CVE-2016-7434,CVE-2016-9310,CVE-2016-9311
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    ntp-4.2.8p9-46.18.1
SUSE Linux Enterprise Server 12-LTSS (src):    ntp-4.2.8p9-46.18.1
Comment 9 Swamp Workflow Management 2016-12-28 15:08:03 UTC 
openSUSE-SU-2016:3280-1: An update that solves 10 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1009434,1011377,1011390,1011395,1011398,1011404,1011406,1011411,1011417,943216,956365,981252,988028,992038,992606
CVE References: CVE-2015-5219,CVE-2016-7426,CVE-2016-7427,CVE-2016-7428,CVE-2016-7429,CVE-2016-7431,CVE-2016-7433,CVE-2016-7434,CVE-2016-9310,CVE-2016-9311
Sources used:
openSUSE Leap 42.2 (src):    ntp-4.2.8p9-27.1
openSUSE Leap 42.1 (src):    ntp-4.2.8p9-27.1
Comment 10 Swamp Workflow Management 2017-01-23 15:10:01 UTC 
SUSE-SU-2017:0255-1: An update that solves 12 vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1009434,1011377,1011390,1011395,1011398,1011404,1011406,1011411,1011417,943216,956365,981252,988028,992038,992606
CVE References: CVE-2015-5219,CVE-2015-8139,CVE-2015-8140,CVE-2016-7426,CVE-2016-7427,CVE-2016-7428,CVE-2016-7429,CVE-2016-7431,CVE-2016-7433,CVE-2016-7434,CVE-2016-9310,CVE-2016-9311
Sources used:
SUSE OpenStack Cloud 5 (src):    ntp-4.2.8p9-48.9.1
SUSE Manager Proxy 2.1 (src):    ntp-4.2.8p9-48.9.1
SUSE Manager 2.1 (src):    ntp-4.2.8p9-48.9.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    ntp-4.2.8p9-48.9.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    ntp-4.2.8p9-48.9.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    ntp-4.2.8p9-48.9.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    ntp-4.2.8p9-48.9.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    ntp-4.2.8p9-48.9.1
Comment 11 Marcus Meissner 2017-03-02 13:59:58 UTC 
released