Bug 943221 - (CVE-2015-7703) VUL-1: CVE-2015-7703 : ntp: config command can be used to set the pidfile and drift file paths
VUL-1: CVE-2015-7703 : ntp: config command can be used to set the pidfile and...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Minor
: ---
Assigned To: Reinhard Max
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2015-08-26 07:56 UTC by Sebastian Krahmer
Modified: 2019-05-01 16:51 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

patch (1.69 KB, patch)
2015-08-26 07:59 UTC, Sebastian Krahmer
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2015-08-26 07:56:23 UTC
Quoting from oss-sec:

"It was found that the :config command can be used to set the pidfile and
driftfile paths without any restrictions. A remote attacker could use
this flaw to overwrite a file on the file system with a file containing
the pid of the ntpd process (immediately) or the current estimated drift
of the system clock (in hourly intervals). For example:

ntpq -c ':config pidfile /tmp/ntp.pid'
ntpq -c ':config driftfile /tmp/ntp.drift'

No upstream fix, but Miroslav wrote the attached patch.



Comment 1 Sebastian Krahmer 2015-08-26 07:59:17 UTC
Created attachment 645039 [details]

Comment 2 Swamp Workflow Management 2015-08-26 22:00:57 UTC
bugbot adjusting priority
Comment 3 Andreas Stieger 2015-10-02 15:05:43 UTC
4.2.4 is not affected.
4.2.8, 4.2.6 is affected.

Affects SLE 11 SP4 and SLE 12.

Planned update.
Comment 4 Reinhard Max 2015-11-13 15:14:07 UTC
CVE-2015-5196 has been rejected as a duplicate, CVE-2015-7703 should be used instead.

Also, I fail to see a security issue here, because :config precisely exists to allow changing the configuratuion at runtime, and it can only be used after authentication.
Comment 5 Sebastian Krahmer 2015-11-16 13:31:51 UTC
Makes sense. I'd also prefer to have this feature disabled or
restricted to by default. Do we?
Comment 7 Reinhard Max 2015-11-16 14:57:10 UTC
(In reply to Sebastian Krahmer from comment #5)
> I'd also prefer to have this feature disabled or
> restricted to by default. Do we?

Yes, by default remote instances of ntpq (and ntpdc) are blocked completely, local instances have read access witout authentication and write access only after authentication.
Comment 8 Sebastian Krahmer 2015-11-16 15:18:50 UTC
closing as WONTFIX
Comment 9 SMASH SMASH 2016-01-07 10:25:08 UTC
An update workflow for this issue was started.

This issue was rated as "moderate".
Please submit fixed packages until "Jan. 14, 2016".

When done, reassign the bug to "security-team@suse.de".
Comment 10 Swamp Workflow Management 2016-06-14 15:35:01 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-06-21.
When done, reassign the bug to security-team@suse.de.
Comment 11 Swamp Workflow Management 2016-07-29 17:11:31 UTC
SUSE-SU-2016:1912-1: An update that solves 43 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 782060,784760,905885,910063,916617,920183,920238,920893,920895,920905,924202,926510,936327,943218,943221,944300,951351,951559,951629,952611,957226,962318,962784,962802,962960,962966,962970,962988,962995,963000,963002,975496,977450,977451,977452,977455,977457,977458,977459,977461,977464,979302,981422,982056,982064,982065,982066,982067,982068,988417,988558,988565
CVE References: CVE-2015-1798,CVE-2015-1799,CVE-2015-5194,CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8158,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519,CVE-2016-4953,CVE-2016-4954,CVE-2016-4955,CVE-2016-4956,CVE-2016-4957
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    ntp-4.2.8p8-0.7.1