FreeBSD Security Advisories
2020-Mar-19 17:38 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-20:09.ntp
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================FreeBSD-SA-20:09.ntp Security Advisory The FreeBSD Project Topic: Multiple denial of service in ntpd Category: contrib Module: ntp Announced: 2020-03-19 Credits: Philippe Antoine and Miroslav Lichvar Affects: All supported versions of FreeBSD. Corrected: 2020-03-04 23:54:13 UTC (stable/12, 12.1-STABLE) 2020-03-19 16:52:41 UTC (releng/12.1, 12.1-RELEASE-p3) 2020-03-05 00:18:09 UTC (stable/11, 11.3-STABLE) 2020-03-19 16:52:41 UTC (releng/11.3, 11.3-RELEASE-p7) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description Three NTP vulnerabilities are addressed by this security advisory. NTP Bug 3610: Process_control() should exit earlier on short packets. On systems that override the default and enable ntpdc (mode 7), fuzz testing detected a short packet will cause ntpd to read uninitialized data. NTP Bug 3596: Due to highly predictable transmit timestamps, an unauthenticated, unmonitored ntpd is vulnerable to attack over IPv4. A victim ntpd configured to receive time from an unauthenticated time source is vulnerable to an off-path attacker with permission to query the victim. The attacker must send from a spoofed IPv4 address of an upstream NTP server and the victim must process a large number of packets with that spoofed IPv4 address. After eight or more successful attacks in a row, the attacker can either modify the victim's clock by a small amount or cause ntpd to terminate. The attack is especially effective when unusually short poll intervals have been configured. NTP Bug 3592: The fix for https://bugs.ntp.org/3445 introduced a bug such that an ntpd can be prevented from initiating a time volley to its peer resulting in a DoS. III. Impact All three NTP bugs may result in DoS or terimation of the ntp daemon. IV. Workaround Systems not using ntpd(8) are not vulnerable. Systems running ntpd should make the following changes: - - Disable mode 7 - - Use many trustworthy sources of time - - Use NTP packet authentication - - Monitor ntpd for error messages indicating attack - - If only unauthenticated time over IPv4 is available, use the restrict configuration directive V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.1-STABLE] # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.patch # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.patch.asc # gpg --verify ntp.12.patch.asc [FreeBSD 12.1-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.1.patch # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.1.patch.asc # gpg --verify ntp.12.1.patch.asc [FreeBSD 11.3-STABLE] # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.patch # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.patch.asc # gpg --verify ntp.11.patch.asc [FreeBSD 11.3-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.3.patch # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.3.patch.asc # gpg --verify ntp.11.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r358659 releng/12.1/ r359144 stable/11/ r358660 releng/11.3/ r359144 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:http://support.ntp.org/bin/view/Main/SecurityNotice#March_2020_ntp_4_2_8p14_NTP_Rele> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:09.ntp.asc> -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIoaA//V8fG/ugFkS6ASluls3rsww0gxoVH65HM7SDiPC814cl8ck2DUSMO7lzA jPAmsLPdrhGrJ7lTndUxuZ5hf0YeI/CgccTWYoPgiZjfXoeHS2ydQVVpM9j2ByNo KgwqEnRxLaIRBg3+zf7sT/IenC+ivHbPDxrmW4y7ehUQO/fZ3AcXjcAw6PPCzGlp pN8Jml04uUuD/Nb92IzWGKvLPsL27slWAHG6nPPw0onzqaZqNhFf1UUDK9qvZRNB 2pHO+aJPfRq2kUk2DvfcB4kTGB1jbHJBBRNA1ns2xrtdKKIBnwSBatN/SBznhPuF nxGN/Y0k8EYJdVOHaoyqSlG31jatAd/TaA9+1JauxB7/29c65JHyAfddtZKY64vl DVnfDus+fcxg9D5FI7/O9qUeMZ/S1Ix683BzUPYhCDksC+VP28mqCHMBYRdKrc1m ysnnER8Tli+Zbenn88202+lJAaAI3gKygdzKRQg5FgXWqWi84G1WPs+c8dihpovV ZG5AqS1gJuwlP72x/g8by7BT140PZIEYaR5Qm7uIlfNTQxNBDmDkCF54wrhAFQWY XZrOLiOsVJdn6mX9WfPh7kxd59nAjGuy5fKwWF22g5vQsGCGoBHsqZTKPiA+WxVu Ngqq+8zUMkcTXP7NE3aT+4HDTXi/WRwiEKTGd8zGm5J8bEHXi9I=Q4Yq -----END PGP SIGNATURE-----