Bug 928321 - (CVE-2015-3405) VUL-0: CVE-2015-3405 ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems
(CVE-2015-3405)
VUL-0: CVE-2015-3405 ntp: ntp-keygen may generate non-random symmetric keys o...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/116228/
maint:released:sle11-sp1:62087 maint...
:
Depends on: 935409
Blocks:
  Show dependency treegraph
 
Reported: 2015-04-23 09:12 UTC by Andreas Stieger
Modified: 2015-09-04 15:40 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Proposed patch for the problem raised in comment 11. (638 bytes, patch)
2015-06-16 16:14 UTC, Reinhard Max
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-04-23 09:12:57 UTC
via oss-sec http://seclists.org/oss-sec/2015/q2/260

>     * [Bug 2797] ntp-keygen trapped in endless loop for MD5 keys on big-endian machines.
>     https://bugs.ntp.org/show_bug.cgi?id=2797
> 
>     Patch: http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=55199296N2gFqH1Hm5GOnhrk9Ypygg
> 
> 
>     While the endless loop is not a security flaw per se
> 
> 
> The unstated rationale here seems to be "ntp-keygen is a command-line
> program that is not normally exposed in a way that crosses privilege
> boundaries."
> 
> The documentation mentions:
> 
>   After setting up the environment it is advisable to update certificates
>   from time to time, if only to extend the validity interval.
>   Simply run
>   @code{ntp-keygen}
>   with the same flags as before to generate new certificates
> 
> It seems plausible that some sites may have created a web interface so
> that operations staff can occasionally do a certificate update (maybe
> with a new key), but these staff don't have login access to the
> machine running NTP. The flaw would give them the new ability to
> (sometimes) launch a CPU consumption attack. However, we have not
> actually heard of anyone with a web-based ntp-keygen arrangement, so
> we currently don't want to assign a CVE ID for that.
> 
>     the fact that
>     ntp-keygen generates non-random keys is. If the lowest byte of the temp
>     variable happens to be between 0x20 and 0x7f and not #, the generated
>     MD5 key will consist of 20 identical characters, meaning only 93
>     possible keys can be generated.
> 
> 
> Use CVE-2015-3405 for this code error that results in a key space
> that's much smaller than expected.


References:
http://seclists.org/oss-sec/2015/q2/260
https://bugzilla.redhat.com/show_bug.cgi?id=1210324
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3405
Comment 3 Swamp Workflow Management 2015-04-23 22:00:15 UTC
bugbot adjusting priority
Comment 8 Swamp Workflow Management 2015-05-13 13:05:32 UTC
SUSE-SU-2015:0865-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 918342,924202,928321
CVE References: CVE-2015-1798,CVE-2015-1799,CVE-2015-3405
Sources used:
SUSE Linux Enterprise Server 12 (src):    ntp-4.2.6p5-44.1
SUSE Linux Enterprise Desktop 12 (src):    ntp-4.2.6p5-44.1
Comment 10 Andreas Stieger 2015-06-15 11:28:55 UTC
The issue blocking the update for bug 924202 and bug 928321 has been removed. An update will be issued for SUSE Linux Enterprise 11.

Information about affected products updated on
https://www.suse.com/security/cve/CVE-2015-1799.html
https://www.suse.com/security/cve/CVE-2015-3405.html
Comment 13 Reinhard Max 2015-06-16 16:14:41 UTC
Created attachment 638095 [details]
Proposed patch for the problem raised in comment 11.
Comment 14 Marcus Meissner 2015-06-18 13:01:27 UTC
Yes, I would take both patches. Both look good to me.
Comment 15 Reinhard Max 2015-06-18 13:35:05 UTC
Thanks, package submitted.
Comment 17 Swamp Workflow Management 2015-07-02 15:05:49 UTC
SUSE-SU-2015:1173-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 924202,928321,935409
CVE References: CVE-2015-1799,CVE-2015-3405
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    ntp-4.2.4p8-1.29.36.1
SUSE Linux Enterprise Server 11 SP3 (src):    ntp-4.2.4p8-1.29.36.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    ntp-4.2.4p8-1.29.36.1
Comment 18 Marcus Meissner 2015-09-04 15:40:53 UTC
I think its done