Bug 924202 - (CVE-2015-1798) VUL-0: CVE-2015-1798 CVE-2015-1799: two new ntp flaws
(CVE-2015-1798)
VUL-0: CVE-2015-1798 CVE-2015-1799: two new ntp flaws
Status: RESOLVED FIXED
: 957163 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp1:62087 maint:...
:
Depends on: 935409
Blocks: 927497 957163
  Show dependency treegraph
 
Reported: 2015-03-25 09:43 UTC by Marcus Meissner
Modified: 2019-08-22 14:41 UTC (History)
11 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
ntp-rejectnoauth.patch (1.21 KB, patch)
2015-04-07 10:48 UTC, Marcus Meissner
Details | Diff
ntp-avoid-dos.patch (979 bytes, patch)
2015-04-07 10:50 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Swamp Workflow Management 2015-03-25 23:00:24 UTC
bugbot adjusting priority
Comment 7 Marcus Meissner 2015-04-07 10:42:04 UTC
is pubklic now.

http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

 ntpd accepts unauthenticated packets with symmetric key crypto.

    References: Sec 2779 / CVE-2015-1798 / VU#374268
    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not including ntp-4.2.8p2 where the installation uses symmetric keys to authenticate remote associations.
    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
    Summary: When ntpd is configured to use a symmetric key to authenticate a remote NTP server/peer, it checks if the NTP message authentication code (MAC) in received packets is valid, but not if there actually is any MAC included. Packets without a MAC are accepted as if they had a valid MAC. This allows a MITM attacker to send false packets that are accepted by the client/peer without having to know the symmetric key. The attacker needs to know the transmit timestamp of the client to match it in the forged reply and the false reply needs to reach the client before the genuine reply from the server. The attacker doesn't necessarily need to be relaying the packets between the client and the server.

    Authentication using autokey doesn't have this problem as there is a check that requires the key ID to be larger than NTP_MAXKEY, which fails for packets without a MAC.
    Mitigation:
        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page
        Configure ntpd with enough time sources and monitor it properly. 
    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 

Authentication doesn't protect symmetric associations against DoS attacks.

    References: Sec 2781 / CVE-2015-1799 / VU#374268
    Affects: All NTP releases starting with at least xntp3.3wy up to but not including ntp-4.2.8p2 where the installation uses symmetric key authentication.
    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
    Note: the CVSS base Score for this issue could be 4.3 or lower, and it could be higher than 5.4.
    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
    Summary: An attacker knowing that NTP hosts A and B are peering with each other (symmetric association) can send a packet to host A with source address of B which will set the NTP state variables on A to the values sent by the attacker. Host A will then send on its next poll to B a packet with originate timestamp that doesn't match the transmit timestamp of B and the packet will be dropped. If the attacker does this periodically for both hosts, they won't be able to synchronize to each other. This is a known denial-of-service attack, described at https://www.eecis.udel.edu/~mills/onwire.html .

    According to the document the NTP authentication is supposed to protect symmetric associations against this attack, but that doesn't seem to be the case. The state variables are updated even when authentication fails and the peers are sending packets with originate timestamps that don't match the transmit timestamps on the receiving side.

    This seems to be a very old problem, dating back to at least xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) specifications, so other NTP implementations with support for symmetric associations and authentication may be vulnerable too. An update to the NTP RFC to correct this error is in-process.
    Mitigation:
        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page
        Note that for users of autokey, this specific style of MITM attack is simply a long-known potential problem.
        Configure ntpd with appropriate time sources and monitor ntpd. Alert your staff if problems are detected. 
    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
Comment 8 Swamp Workflow Management 2015-04-07 10:45:10 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-04-14.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61425
Comment 9 Marcus Meissner 2015-04-07 10:48:51 UTC
Created attachment 630182 [details]
ntp-rejectnoauth.patch

ntp-rejectnoauth.patch from http://bugs.ntp.org/show_bug.cgi?id=2779
to fix CVE-2015-1798
Comment 10 Marcus Meissner 2015-04-07 10:50:06 UTC
Created attachment 630183 [details]
ntp-avoid-dos.patch

fix attached to http://bugs.ntp.org/show_bug.cgi?id=2781 for CVE-2015-1799
Comment 12 Marcus Meissner 2015-04-07 15:50:32 UTC
CVE-2015-1798 does not affect SLE11 SP3 and older, as it did checking differently.
Comment 18 Andreas Stieger 2015-04-23 09:27:06 UTC
Please add bug 928321
Comment 19 Swamp Workflow Management 2015-04-27 11:06:29 UTC
openSUSE-SU-2015:0775-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 924202
CVE References: CVE-2015-1798,CVE-2015-1799
Sources used:
openSUSE 13.2 (src):    ntp-4.2.6p5-25.12.1
openSUSE 13.1 (src):    ntp-4.2.6p5-15.16.1
Comment 25 Swamp Workflow Management 2015-05-13 13:05:22 UTC
SUSE-SU-2015:0865-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 918342,924202,928321
CVE References: CVE-2015-1798,CVE-2015-1799,CVE-2015-3405
Sources used:
SUSE Linux Enterprise Server 12 (src):    ntp-4.2.6p5-44.1
SUSE Linux Enterprise Desktop 12 (src):    ntp-4.2.6p5-44.1
Comment 26 Branislav Havel 2015-05-25 08:30:56 UTC
Are the patches planned to be released for SLES11SP3 as well? Thank you
Comment 27 Sebastian Krahmer 2015-05-26 08:05:22 UTC
Reinhard, any progress with bsc#916584 so we can make sp3 updates for this
one?
Comment 28 Branislav Havel 2015-06-01 07:38:49 UTC
I would like to ask you whether you have had a chance to make any progress in order to release SP3 patches?

Thank you
Comment 29 Andreas Stieger 2015-06-01 08:50:57 UTC
(In reply to Branislav Havel from comment #28)
> I would like to ask you whether you have had a chance to make any progress
> in order to release SP3 patches?

We have not made progress, this is pending the engineering resolution to another issue. I have poked everyone involved to get to a go/no-go decision.
Comment 32 Andreas Stieger 2015-06-15 11:28:56 UTC
The issue blocking the update for bug 924202 and bug 928321 has been removed. An update will be issued for SUSE Linux Enterprise 11.

Information about affected products updated on
https://www.suse.com/security/cve/CVE-2015-1799.html
https://www.suse.com/security/cve/CVE-2015-3405.html
Comment 38 Swamp Workflow Management 2015-07-02 15:05:35 UTC
SUSE-SU-2015:1173-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 924202,928321,935409
CVE References: CVE-2015-1799,CVE-2015-3405
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    ntp-4.2.4p8-1.29.36.1
SUSE Linux Enterprise Server 11 SP3 (src):    ntp-4.2.4p8-1.29.36.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    ntp-4.2.4p8-1.29.36.1
Comment 39 Reinhard Max 2015-09-17 14:20:19 UTC
I think we're done with this.
Comment 40 Swamp Workflow Management 2015-10-23 09:30:51 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-10-30.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62313
Comment 41 Leonardo Chiquitto 2015-12-28 18:48:59 UTC
*** Bug 957163 has been marked as a duplicate of this bug. ***
Comment 43 SMASH SMASH 2016-01-07 10:24:16 UTC
An update workflow for this issue was started.

This issue was rated as "important".
Please submit fixed packages until "Jan. 14, 2016".

When done, reassign the bug to "security-team@suse.de".
/update/121227/.
Comment 49 Reinhard Max 2016-05-18 10:52:59 UTC
Now also submitted for SLE10.
Comment 50 Marcus Meissner 2016-06-01 16:16:47 UTC
sle10 still open, but close anyway
Comment 51 Swamp Workflow Management 2016-06-14 15:34:31 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-06-21.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62822
Comment 52 Swamp Workflow Management 2016-07-29 17:10:48 UTC
SUSE-SU-2016:1912-1: An update that solves 43 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 782060,784760,905885,910063,916617,920183,920238,920893,920895,920905,924202,926510,936327,943218,943221,944300,951351,951559,951629,952611,957226,962318,962784,962802,962960,962966,962970,962988,962995,963000,963002,975496,977450,977451,977452,977455,977457,977458,977459,977461,977464,979302,981422,982056,982064,982065,982066,982067,982068,988417,988558,988565
CVE References: CVE-2015-1798,CVE-2015-1799,CVE-2015-5194,CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8158,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519,CVE-2016-4953,CVE-2016-4954,CVE-2016-4955,CVE-2016-4956,CVE-2016-4957
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    ntp-4.2.8p8-0.7.1