Bug 951629 - (CVE-2015-5300) VUL-0: CVE-2015-5300: ntp: MITM attacker can force ntpd to make a step larger than the panic threshold
(CVE-2015-5300)
VUL-0: CVE-2015-5300: ntp: MITM attacker can force ntpd to make a step larger...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/158084/
CVSSv2:RedHat:CVE-2015-5300:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-22 15:59 UTC by Andreas Stieger
Modified: 2016-08-18 15:52 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-10-22 15:59:41 UTC
Via RH and https://www.cs.bu.edu/~goldbe/NTPattack.html

Attack 3 (Timeshifting by Reboot). We discuss how an on-path attacker that hijacks traffic to an NTP server (using, for example, BGP or DNS hijacks) can shift time on the server's clients. Under normal conditions, if NTP attempts to update the local clock by a value that exceeds the panic threshold (about 16 minutes), then the NTP client "SHOULD exit with a diagnostic message to the system log". We discuss how to circumvent the panic threshold by exploiting ntpd's behavior upon reboot. We also present the small-step-big-step attack, which allows an attacker that reboots the client to stealthily create a big time step and then quickly bring the client's clock back to normal; this attack is useful for stealthily flushing a client's cache, or to causing a specific cryptographic object to expire. Our small-step-big-step attack is described in CVE-2015-5300 and Section IV.B of our technical paper. 


-g   Normally, ntpd exits with a message to the system log if the offset exceeds the panic threshold, which is 1000 s by default. This option allows the time to be set to any value without restriction; however, this can happen only once. If the thresh‐ old is exceeded after that, ntpd will exit with a message to the system log. This option can be used with the -q and -x options. See the tinker command for other options.

ntpd could actually step the clock multiple times by more than the panic threshold if its clock discipline doesn't have enough time to reach the sync state and stay there for at least one update. If a man-in-the-middle attacker can control the NTP traffic since ntpd was started (or maybe up to 15-30 minutes after that), they can prevent the client from reaching the sync state and force it to step its clock by any amount any number of times, which can be used by attackers to expire certificates, etc.

This is contrary to what the documentation says. Normally, the assumption is that an MITM attacker can step the clock more than the panic threshold only once when ntpd starts and to make a larger adjustment the attacker has to divide it into multiple smaller steps, each taking 15 minutes, which is slow.

Proposed patch at https://bugzilla.redhat.com/attachment.cgi?id=1082271





References:
https://bugzilla.redhat.com/show_bug.cgi?id=1271076
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5300
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5300.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300
Comment 1 Swamp Workflow Management 2015-10-22 22:00:56 UTC
bugbot adjusting priority
Comment 2 SMASH SMASH 2016-01-07 10:26:07 UTC
An update workflow for this issue was started.

This issue was rated as "moderate".
Please submit fixed packages until "Jan. 14, 2016".

When done, reassign the bug to "security-team@suse.de".
/update/121227/.
Comment 3 Bernhard Wiedemann 2016-03-11 13:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (951629) was mentioned in
https://build.opensuse.org/request/show/370038 Factory / ntp
Comment 7 Swamp Workflow Management 2016-04-28 17:09:52 UTC
SUSE-SU-2016:1175-1: An update that solves 12 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 782060,784760,916617,951559,951629,956773,962318,962784,962802,962960,962966,962970,962988,962994,962995,962997,963000,963002,975496,975981
CVE References: CVE-2015-5300,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8139,CVE-2015-8140,CVE-2015-8158
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    ntp-4.2.8p6-8.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ntp-4.2.8p6-8.2
Comment 8 Swamp Workflow Management 2016-04-28 17:13:17 UTC
SUSE-SU-2016:1177-1: An update that solves 12 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 782060,916617,937837,951559,951629,956773,962318,962784,962802,962960,962966,962970,962988,962994,962995,962997,963000,963002,975496,975981
CVE References: CVE-2015-5300,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8139,CVE-2015-8140,CVE-2015-8158
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    yast2-ntp-client-3.1.22-6.2
SUSE Linux Enterprise Server 12-SP1 (src):    ntp-4.2.8p6-8.2, yast2-ntp-client-3.1.22-6.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    ntp-4.2.8p6-8.2, yast2-ntp-client-3.1.22-6.2
Comment 9 Swamp Workflow Management 2016-05-06 11:10:31 UTC
SUSE-SU-2016:1247-1: An update that solves 28 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 782060,905885,910063,916617,920238,926510,936327,937837,942587,944300,946386,951559,951608,951629,954982,956773,962318,962784,962802,962960,962966,962970,962988,962994,962995,962997,963000,963002,975496,975981
CVE References: CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8139,CVE-2015-8140,CVE-2015-8158
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    yast2-ntp-client-3.1.12.4-8.2
SUSE Linux Enterprise Server 12 (src):    ntp-4.2.8p6-46.5.2, yast2-ntp-client-3.1.12.4-8.2
SUSE Linux Enterprise Desktop 12 (src):    ntp-4.2.8p6-46.5.2, yast2-ntp-client-3.1.12.4-8.2
Comment 10 Swamp Workflow Management 2016-05-12 19:08:40 UTC
openSUSE-SU-2016:1292-1: An update that solves 12 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 782060,916617,937837,951559,951629,956773,962318,962784,962802,962960,962966,962970,962988,962994,962995,962997,963000,963002,975496,975981
CVE References: CVE-2015-5300,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8139,CVE-2015-8140,CVE-2015-8158
Sources used:
openSUSE Leap 42.1 (src):    ntp-4.2.8p6-15.1, yast2-ntp-client-3.1.22-6.1
Comment 11 Swamp Workflow Management 2016-05-17 13:13:15 UTC
SUSE-SU-2016:1311-1: An update that solves 30 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 782060,784760,905885,910063,916617,920183,920238,926510,936327,937837,942441,942587,943216,943218,944300,946386,951351,951559,951608,951629,954982,956773,962318,962784,962802,962960,962966,962970,962988,962994,962995,962997,963000,963002,975496,975981
CVE References: CVE-2015-5194,CVE-2015-5219,CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8139,CVE-2015-8140,CVE-2015-8158
Sources used:
SUSE OpenStack Cloud 5 (src):    ntp-4.2.8p6-41.1
SUSE Manager Proxy 2.1 (src):    ntp-4.2.8p6-41.1
SUSE Manager 2.1 (src):    ntp-4.2.8p6-41.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    ntp-4.2.8p6-41.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    ntp-4.2.8p6-41.1, yast2-ntp-client-2.17.14.1-1.12.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    ntp-4.2.8p6-41.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    ntp-4.2.8p6-41.1
Comment 12 Bernhard Wiedemann 2016-05-18 10:00:42 UTC
This is an autogenerated message for OBS integration:
This bug (951629) was mentioned in
https://build.opensuse.org/request/show/396591 13.2 / ntp
Comment 13 Swamp Workflow Management 2016-05-27 13:18:15 UTC
openSUSE-SU-2016:1423-1: An update that fixes 37 vulnerabilities is now available.

Category: security (moderate)
Bug References: 782060,905885,910063,916617,920238,926510,936327,942587,944300,946386,951559,951608,951629,954982,956773,957226,962318,962784,962802,962960,962966,962970,962988,962995,963000,963002,975496,977446,977450,977451,977452,977455,977457,977458,977459,977461,977464
CVE References: CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8139,CVE-2015-8140,CVE-2015-8158,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519
Sources used:
openSUSE 13.2 (src):    ntp-4.2.8p7-25.15.1
Comment 14 Swamp Workflow Management 2016-06-14 15:36:13 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-06-21.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62822
Comment 15 Swamp Workflow Management 2016-07-29 17:12:12 UTC
SUSE-SU-2016:1912-1: An update that solves 43 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 782060,784760,905885,910063,916617,920183,920238,920893,920895,920905,924202,926510,936327,943218,943221,944300,951351,951559,951629,952611,957226,962318,962784,962802,962960,962966,962970,962988,962995,963000,963002,975496,977450,977451,977452,977455,977457,977458,977459,977461,977464,979302,981422,982056,982064,982065,982066,982067,982068,988417,988558,988565
CVE References: CVE-2015-1798,CVE-2015-1799,CVE-2015-5194,CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8158,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519,CVE-2016-4953,CVE-2016-4954,CVE-2016-4955,CVE-2016-4956,CVE-2016-4957
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    ntp-4.2.8p8-0.7.1
Comment 16 Marcus Meissner 2016-08-01 08:29:28 UTC
all released