F5 Networks: K17517 (CVE-2015-7701): NTP vulnerability CVE-2015-7701

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From USN-2783-1:

Aleksis Kauppinen discovered that NTP incorrectly handled certain remote config packets. In a non-default configuration, a remote authenticated attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-5146)

Miroslav Lichvar discovered that NTP incorrectly handled logconfig directives. In a non-default configuration, a remote authenticated attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-5194)

Miroslav Lichvar discovered that NTP incorrectly handled certain statistics types. In a non-default configuration, a remote authenticated attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-5195)

Miroslav Lichvar discovered that NTP incorrectly handled certain file paths. In a non-default configuration, a remote authenticated attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service, or overwrite certain files. (CVE-2015-5196,CVE-2015-7703)

Miroslav Lichvar discovered that NTP incorrectly handled certain packets. A remote attacker could possibly use this issue to cause NTP to hang, resulting in a denial of service. (CVE-2015-5219)

Aanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg discovered that NTP incorrectly handled restarting after hitting a panic threshold. A remote attacker could possibly use this issue to alter the system time on clients. (CVE-2015-5300)

It was discovered that NTP incorrectly handled autokey data packets. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-7691,CVE-2015-7692,CVE-2015-7702)

It was discovered that NTP incorrectly handled memory when processing certain autokey messages. A remote attacker could possibly use this issue to cause NTP to consume memory, resulting in a denial of service. (CVE-2015-7701)

Aanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg discovered that NTP incorrectly handled rate limiting. A remote attacker could possibly use this issue to cause clients to stop updating their clock. (CVE-2015-7704, CVE-2015-7705)

Yves Younan discovered that NTP incorrectly handled logfile and keyfile directives. In a non-default configuration, a remote authenticated attacker could possibly use this issue to cause NTP to enter a loop, resulting in a denial of service. (CVE-2015-7850)

Yves Younan and Aleksander Nikolich discovered that NTP incorrectly handled ascii conversion. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-7852)

Yves Younan discovered that NTP incorrectly handled reference clock memory. A malicious refclock could possibly use this issue to cause NTP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-7853)

John D "Doug" Birdwell discovered that NTP incorrectly handled decoding certain bogus values. An attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7855)

Stephen Gray discovered that NTP incorrectly handled symmetric association authentication. A remote attacker could use this issue to possibly bypass authentication and alter the system clock. (CVE-2015-7871)

In the default installation, attackers would be isolated by the NTP AppArmor profile.

From DSA-3388:

Several vulnerabilities were discovered in the Network Time Protocol

daemon and utility programs:

From SUSE_CVE-2015-7701:

This CVE is addressed in the SUSE advisories SUSE-SU-2015:2058-1, openSUSE-SU-2015:2016-1

From ALAS-2015-607:

It was discovered that ntpd as a client did not correctly check timestamps in Kiss-of-Death packets. A remote attacker could use this flaw to send a crafted Kiss-of-Death packet to an ntpd client that would increase the client's polling interval value, and effectively disable synchronization with the server. (CVE-2015-7704)

It was found that ntpd did not correctly implement the threshold limitation for the '-g' option, which is used to set the time without any restrictions. A man-in-the-middle attacker able to intercept NTP traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value. (CVE-2015-5300)

It was found that the fix forCVE-2014-9750was incomplete: three issues were found in the value length checks in ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. Receipt of these packets can cause ntpd to crash. (CVE-2015-7691,CVE-2015-7692,CVE-2015-7702)

A potential off by one vulnerability exists in the cookedprint functionality of ntpq. A specially crafted buffer could cause a buffer overflow potentially resulting in null byte being written out of bounds. (CVE-2015-7852)

A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd is configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)

From ELSA-2016-0780:

[4.2.6p5-10] - don't accept server/peer packets with zero origin timestamp (CVE-2015-8138) - fix crash with reslist command (CVE-2015-7977, CVE-2015-7978) [4.2.6p5-9] - fix crash with invalid logconfig command (CVE-2015-5194) - fix crash when referencing disabled statistic type (CVE-2015-5195) - don't hang in sntp with crafted reply (CVE-2015-5219) - don't crash with crafted autokey packet (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702) - fix memory leak with autokey (CVE-2015-7701) - don't allow setting driftfile and pidfile remotely (CVE-2015-7703) - don't crash in ntpq with crafted packet (CVE-2015-7852) - add option to set Differentiated Services Code Point (DSCP) (#1228314) - extend rawstats log (#1242895) - fix resetting of leap status (#1243034) - report clock state changes related to leap seconds (#1242937) - allow -4/-6 on restrict lines with mask (#1232146) - retry joining multicast groups (#1288534) - explain synchronised state in ntpstat man page (#1286969) [4.2.6p5-7] - check origin timestamp before accepting KoD RATE packet (CVE-2015-7704) - allow only one step larger than panic threshold with -g (CVE-2015-5300)

From RHSA-2016:0780:

The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.

Security Fix(es):

It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-7703)

The CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichvár (Red Hat).

For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8 Technical Notes linked from the References section.

From RHSA-2016:2583:

The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.

Security Fix(es):

It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979)It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-5196, CVE-2015-7703)It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)A flaw was found in the way NTP verified trusted keys during symmetric key authentication. An authenticated client (A) could use this flaw to modify a packet sent between a server (B) and a client (C) using a key that is different from the one known to the client (A). (CVE-2015-7974)A flaw was found in the way the ntpq client processed certain incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. (CVE-2015-8158)

The CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichvár (Red Hat).

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

From ELSA-2016-2583:

[4.2.6p5-25.0.1] - add disable monitor to default ntp.conf [CVE-2013-5211] [4.2.6p5-25] - don't allow spoofed packet to enable symmetric interleaved mode (CVE-2016-1548) - check mode of new source in config command (CVE-2016-2518) - make MAC check resilient against timing attack (CVE-2016-1550) [4.2.6p5-24] - fix crash with invalid logconfig command (CVE-2015-5194) - fix crash when referencing disabled statistic type (CVE-2015-5195) - don't hang in sntp with crafted reply (CVE-2015-5219) - don't crash with crafted autokey packet (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702) - fix memory leak with autokey (CVE-2015-7701) - don't allow setting driftfile and pidfile remotely (CVE-2015-7703) - don't crash in ntpq with crafted packet (CVE-2015-7852) - check key ID in packets authenticated with symmetric key (CVE-2015-7974) - fix crash with reslist command (CVE-2015-7977, CVE-2015-7978) - don't allow spoofed packets to demobilize associations (CVE-2015-7979, CVE-2016-1547) - don't accept server/peer packets with zero origin timestamp (CVE-2015-8138) - fix infinite loop in ntpq/ntpdc (CVE-2015-8158) - fix resetting of leap status (#1242553) - extend rawstats log (#1242877) - report clock state changes related to leap seconds (#1242935) - allow -4/-6 on restrict lines with mask (#1304492) - explain synchronised state in ntpstat man page (#1309594)

From VID-C4A18A12-77FC-11E5-A687-206A8A720317:

ntp.org reports:

NTF's NTP Project has been notified of the following 13 low-

and medium-severity vulnerabilities that are fixed in

ntp-4.2.8p4, released on Wednesday, 21 October 2015:

Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric

association authentication bypass via crypto-NAK

(Cisco ASIG)

Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch

instead of returning FAIL on some bogus values (IDA)

Bug 2921 CVE-2015-7854 Password Length Memory Corruption

Vulnerability. (Cisco TALOS)

Bug 2920 CVE-2015-7853 Invalid length data provided by a

custom refclock driver could cause a buffer overflow.

(Cisco TALOS)

Bug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption

Vulnerability. (Cisco TALOS)

Bug 2918 CVE-2015-7851 saveconfig Directory Traversal

Vulnerability. (OpenVMS) (Cisco TALOS)

Bug 2917 CVE-2015-7850 remote config logfile-keyfile.

(Cisco TALOS)

Bug 2916 CVE-2015-7849 trusted key use-after-free.

(Cisco TALOS)

Bug 2913 CVE-2015-7848 mode 7 loop counter underrun.

(Cisco TALOS)

Bug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC.

(Tenable)

Bug 2902 : CVE-2015-7703 configuration directives "pidfile"

and "driftfile" should only be allowed locally. (RedHat)

Bug 2901 : CVE-2015-7704, CVE-2015-7705 Clients that

receive a KoD should validate the origin timestamp field.

(Boston University)

Bug 2899 : CVE-2015-7691, CVE-2015-7692, CVE-2015-7702

Incomplete autokey data packet length checks. (Tenable)

The only generally-exploitable bug in the above list is the

crypto-NAK bug, which has a CVSS2 score of 6.4.

Additionally, three bugs that have already been fixed in

ntp-4.2.8 but were not fixed in ntp-4.2.6 as it was EOL'd

have a security component, but are all below 1.8 CVSS score,

so we're reporting them here:

Bug 2382 : Peer precision < -31 gives division by zero

Bug 1774 : Segfaults if cryptostats enabled when built

without OpenSSL

Bug 1593 : ntpd abort in free() with logconfig syntax error

From SOL17517:

An attacker could send packets to ntpd that may, after several days of ongoing attack, cause it to run out of memory. There is no control plane exposure in the BIG-IP system when you use a default configuration, and this issue is exposed only when NTP is configured to use the Autokey security protocol.​

From K17517:

An attacker could send packets to ntpd that may, after several days of ongoing attack, cause it to run out of memory. There is no control plane exposure in the BIG-IP system when you use a default configuration, and this issue is exposed only when NTP is configured to use the Autokey security protocol.?

From DLA-335-1:

ntp - security update