Bugzilla – Bug 943221
VUL-1: CVE-2015-7703 : ntp: config command can be used to set the pidfile and drift file paths
Last modified: 2019-05-01 16:51:45 UTC
Quoting from oss-sec: "It was found that the :config command can be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). For example: ntpq -c ':config pidfile /tmp/ntp.pid' ntpq -c ':config driftfile /tmp/ntp.drift' No upstream fix, but Miroslav wrote the attached patch. " rh#1254547 References: https://bugzilla.redhat.com/show_bug.cgi?id=1254547 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5196
Created attachment 645039 [details] patch patch
bugbot adjusting priority
4.2.4 is not affected. 4.2.8, 4.2.6 is affected. Affects SLE 11 SP4 and SLE 12. Planned update.
CVE-2015-5196 has been rejected as a duplicate, CVE-2015-7703 should be used instead. Also, I fail to see a security issue here, because :config precisely exists to allow changing the configuratuion at runtime, and it can only be used after authentication.
Makes sense. I'd also prefer to have this feature disabled or restricted to 127.0.0.1 by default. Do we?
(In reply to Sebastian Krahmer from comment #5) > I'd also prefer to have this feature disabled or > restricted to 127.0.0.1 by default. Do we? Yes, by default remote instances of ntpq (and ntpdc) are blocked completely, local instances have read access witout authentication and write access only after authentication.
closing as WONTFIX
An update workflow for this issue was started. This issue was rated as "moderate". Please submit fixed packages until "Jan. 14, 2016". When done, reassign the bug to "security-team@suse.de". /update/121227/.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2016-06-21. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62822
SUSE-SU-2016:1912-1: An update that solves 43 vulnerabilities and has 9 fixes is now available. Category: security (important) Bug References: 782060,784760,905885,910063,916617,920183,920238,920893,920895,920905,924202,926510,936327,943218,943221,944300,951351,951559,951629,952611,957226,962318,962784,962802,962960,962966,962970,962988,962995,963000,963002,975496,977450,977451,977452,977455,977457,977458,977459,977461,977464,979302,981422,982056,982064,982065,982066,982067,982068,988417,988558,988565 CVE References: CVE-2015-1798,CVE-2015-1799,CVE-2015-5194,CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8158,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519,CVE-2016-4953,CVE-2016-4954,CVE-2016-4955,CVE-2016-4956,CVE-2016-4957 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): ntp-4.2.8p8-0.7.1