Bug 936690 (CVE-2015-5146)

Summary: VUL-1: CVE-2015-5146: ntp,xntp: ntpd control message crash: Crafted NUL-byte in configuration directive. VU#668167
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: astieger, jsegitz, smash_bz, vpereira
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:RedHat:CVE-2015-5146:1.4:(AV:A/AC:H/Au:S/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2015-5146:1.4:(AV:A/AC:H/Au:S/C:N/I:N/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2015-07-01 05:53:22 UTC
http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi

 ntpd control message crash: Crafted NUL-byte in configuration directive.

    Date Resolved: Stable (4.2.8p3) 29 Jun 2015
    References: Sec 2853/ CVE-2015-5146 / VU#668167 / CERT-FI Case 829967
    Affects: 4.2.5p3 up to, but not including 4.2.8p3-RC1, and 4.3.0 up to, but not including 4.3.25
    CVSS: (AV:A/AC:M/Au:S/C:P/I:P/A:P) Base Score: 4.9 at likely worst, 1.4 or less at likely best
    Summary: Under limited and specific circumstances an attacker can send a crafted packet to cause a vulnerable ntpd instance to crash. This requires each of the following to be true:
        ntpd set up to allow for remote configuration (not allowed by default), and
        knowledge of the configuration password, and
        access to a computer entrusted to perform remote configuration. 
    Mitigation:
        Upgrade to 4.2.8p3-RC1 or 4.3.25, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page
        Be prudent when deciding what IP addresses can perform remote configuration of an ntpd instance.
        Monitor your ntpd instances. 
    Credit: This weakness was discovered by Aleksis Kauppinen of Codenomicon.
Comment 1 Marcus Meissner 2015-07-01 05:53:54 UTC
CERT VU#668167
Comment 2 Andreas Stieger 2015-07-01 10:37:12 UTC
"This bug affects ntpd-4.2.5p3 until 4.2.8p3, or 4.3.0 until 4.3.25."

SLE 11 SP3 and earlier not affected.
SLE 11 SP4 affected
SLE 12 affected

openSUSE 13.1 affected
openSUSE 13.2 affected
Comment 3 Swamp Workflow Management 2015-07-01 22:00:17 UTC
bugbot adjusting priority
Comment 4 SMASH SMASH 2016-01-07 10:24:37 UTC
An update workflow for this issue was started.

This issue was rated as "low".
Please submit fixed packages until "Jan. 14, 2016".

When done, reassign the bug to "security-team@suse.de".
/update/121227/.
Comment 5 Reinhard Max 2016-05-18 10:51:48 UTC
Fix contained in the 4.2.8p6/p7 update.
Comment 6 Marcus Meissner 2016-06-01 16:18:49 UTC
released