-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-15:25.ntp                                        Security Advisory
                                                          The FreeBSD Project

Topic:          Multiple vulnerabilities of ntp [REVISED]

Category:       contrib
Module:         ntp
Announced:      2015-10-26, revised on 2015-11-04
Credits:        Network Time Foundation
Affects:        All supported versions of FreeBSD.
Corrected:      2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE)
                2015-11-04 11:27:13 UTC (releng/10.2, 10.2-RELEASE-p7)
                2015-11-04 11:27:21 UTC (releng/10.1, 10.1-RELEASE-p24)
                2015-11-02 10:39:26 UTC (stable/9, 9.3-STABLE)
                2015-11-04 11:27:30 UTC (releng/9.3, 9.3-RELEASE-p30)
CVE Name:       CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704,
                CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851,
                CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855,
                CVE-2015-7871

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/.

0.   Revision history.

v1.0  2015-10-26 Initial release.
v1.1  2015-11-04 Revised patches to address regression in ntpq(8), ntpdc(8)
      utilities and lack of RAWDCF reference clock support in ntpd(8).

I.   Background

The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
used to synchronize the time of a computer system to a reference time
source.

II.  Problem Description

Crypto-NAK packets can be used to cause ntpd(8) to accept time from an
unauthenticated ephemeral symmetric peer by bypassing the authentication
required to mobilize peer associations.  [CVE-2015-7871]
FreeBSD 9.3 and 10.1 are not affected.

If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusually
long data value where a network address is expected, the decodenetnum()
function will abort with an assertion failure instead of simply returning
a failure condition.  [CVE-2015-7855]

If ntpd(8) is configured to allow remote configuration, and if the (possibly
spoofed) source IP address is allowed to send remote configuration requests,
and if the attacker knows the remote configuration password or if ntpd(8)
was configured to disable authentication, then an attacker can send a set
of packets to ntpd(8) that may cause it to crash, with the hypothetical
possibility of a small code injection.  [CVE-2015-7854]

A negative value for the datalen parameter will overflow a data buffer.
The NTF ntpd(8) driver implementation always sets this value to 0 and are
therefore not vulnerable to this weakness.  If the system runs a custom
refclock driver in ntpd(8) and that driver supplies a negative value for
datalen (no custom driver of even minimal competence would do this), then
ntpd(8) would overflow the data buffer.  It is even hypothetically possible
in this case that instead of simply crashing ntpd(8), the attacker could
effect a code injection attack.  [CVE-2015-7853]

If an attacker can figure out the precise moment that ntpq(8) is listening
for data and the port number on which it is listening, or if the attacker
can provide a malicious instance ntpd(8) that victims will connect to, then
an attacker can send a set of crafted mode 6 response packets that, if
received by ntpq(8), can cause ntpq(8) to crash.  [CVE-2015-7852]

If ntpd(8) is configured to allow remote configuration, and if the (possibly
spoofed) IP address is allowed to send remote configuration requests, and if
the attacker knows the remote configuration password or if ntpd(8) was
configured to disable authentication, then an attacker can send a set of
packets to ntpd that may cause ntpd(8) to overwrite files.  [CVE-2015-7851]
The default configuration of ntpd(8) within FreeBSD does not allow remote
configuration.

If ntpd(8) is configured to allow remote configuration, and if the (possibly
spoofed) source IP address is allowed to send remote configuration
requests, and if the attacker knows the remote configuration password or if
ntpd(8) was configured to disable authentication, then an attacker can send
a set of packets to ntpd that will cause it to crash and/or create
a potentially huge log file.  Specifically, the attacker could enable
extended logging, point the key file at the log file, and cause what amounts
to an infinite loop.  [CVE-2015-7850]
The default configuration of ntpd(8) within FreeBSD does not allow remote
configuration.

If ntpd(8) is configured to allow remote configuration, and if the (possibly
spoofed) source IP address is allowed to send remote configuration requests,
and if the attacker knows the remote configuration password or if ntpd(8) was
configured to disable authentication, then an attacker can send a set of
packets to ntpd(8) that may cause a crash or theoretically perform a code
injection attack.  [CVE-2015-7849]
The default configuration of ntpd(8) within FreeBSD does not allow remote
configuration.

If ntpd(8) is configured to enable mode 7 packets, and if the use of mode 7
packets is not properly protected through the use of the available mode 7
authentication and restriction mechanisms, and if the (possibly spoofed)
source IP address is allowed to send mode 7 queries, then an attacker can
send a crafted packet to ntpd that will cause it to crash.  [CVE-2015-7848]
The default configuration of ntpd(8) within FreeBSD does not allow mode 7
packets.

If ntpd(8) is configured to use autokey, then an attacker can send packets to
ntpd that will, after several days of ongoing attack, cause it to run out of
memory.  [CVE-2015-7701]
The default configuration of ntpd(8) within FreeBSD does not use autokey.

If ntpd(8) is configured to allow for remote configuration, and if the
(possibly spoofed) source IP address is allowed to send remote configuration
requests, and if the attacker knows the remote configuration password, it is
possible for an attacker to use the "pidfile" or "driftfile" directives to
potentially overwrite other files.  [CVE-2015-5196]
The default configuration of ntpd(8) within FreeBSD does not allow remote
configuration

An ntpd(8) client that honors Kiss-of-Death responses will honor
Kiss-of-Death messages that have been forged by an attacker, causing it to
delay or stop querying its servers for time updates.  Also, an attacker can
forge packets that claim to be from the target and send them to servers
often enough that a server that implements Kiss-of-Death rate limiting will
send the target machine a Kiss-of-Death response to attempt to reduce the
rate of incoming packets, or it may also trigger a firewall block at the
server for packets from the target machine.  For either of these attacks to
succeed, the attacker must know what servers the target is communicating
with.  An attacker can be anywhere on the Internet and can frequently learn
the identity of the time source of a target by sending the target a time
query.  [CVE-2015-7704]

The fix for CVE-2014-9750 was incomplete in that there were certain code
paths where a packet with particular autokey operations that contained
malicious data was not always being completely validated.  Receipt of these
packets can cause ntpd to crash. [CVE-2015-7702].
The default configuration of ntpd(8) within FreeBSD does not use autokey.

III. Impact

An attacker which can send NTP packets to ntpd(8) which uses cryptographic
authentication of NTP data, may be able to inject malicious time data
causing the system clock to be set incorrectly.  [CVE-2015-7871]

An attacker which can send NTP packets to ntpd(8) can block the communication
of the daemon with time servers, causing the system clock not being
synchronized.  [CVE-2015-7704]

An attacker which can send NTP packets to ntpd(8) can remotely crash the
daemon, sending malicious data packet.  [CVE-2015-7855] [CVE-2015-7854]
[CVE-2015-7853] [CVE-2015-7852] [CVE-2015-7849] [CVE-2015-7848]

An attacker which can send NTP packets to ntpd(8) can remotely trigger the
daemon to overwrite its configuration files.  [CVE-2015-7851] [CVE-2015-5196]

IV.  Workaround

No workaround is available, but systems not running ntpd(8) are not
affected.  Network administrators are advised to implement BCP-38,
which helps to reduce risk associated with the attacks.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

The ntpd service has to be restarted after the update.  A reboot is
recommended but not required.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

The ntpd service has to be restarted after the update.  A reboot is
recommended but not required.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[*** v1.1 NOTE ***] If your sources are not yet patched using the initially
published advisory patches, then you need to apply the full patches named
ntp-NNN.patch, where NNN stands for the release version.  If your sources
are already updated, or patched with patches from the initial advisory,
then you need to apply incremental patches, named ntp-NNN-inc.patch, where
NNN stands for the release version.

[FreeBSD 10.2-RELEASE-p5, not patched with initial SA-15:25 patch]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.xz
# unxz ntp-102.patch.xz
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.asc
# gpg --verify ntp-102.patch.asc

[FreeBSD 10.1-RELEASE-p22, not patched with initial SA-15:25 patch]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.xz
# unxz ntp-101.patch.xz
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.asc
# gpg --verify ntp-101.patch.asc

[FreeBSD 9.3-RELEASE-p28, not patched with initial SA-15:25 patch]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.xz
# unxz ntp-93.patch.xz
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.asc
# gpg --verify ntp-93.patch.asc

[FreeBSD 10.2-RELEASE-p6, initial SA-15:25 patch already applied]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102-inc.patch
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102-inc.patch.asc
# gpg --verify ntp-102-inc.patch.asc

[FreeBSD 10.1-RELEASE-p23, initial SA-15:25 patch already applied]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101-inc.patch
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101-inc.patch.asc
# gpg --verify ntp-101-inc.patch.asc

[FreeBSD 9.3-RELEASE-p29, initial SA-15:25 patch already applied]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93-inc.patch
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93-inc.patch.asc
# gpg --verify ntp-93-inc.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch -p0 < /path/to/patch
# find contrib/ntp -type f -empty -delete

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html.

d) For 9.3-RELEASE and 10.1-RELEASE an update to /etc/ntp.conf is recommended,
which can be done with help of the mergemaster(8) tool on 9.3-RELEASE and
with help of the etcupdate(8) tool on 10.1-RELEASE.

Restart the ntpd(8) daemon, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/9/                                                         r290269
releng/9.3/                                                       r290363
stable/10/                                                        r289997
releng/10.1/                                                      r290362
releng/10.2/                                                      r290361
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-15:25.ntp.asc
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWO0BSAAoJEO1n7NZdz2rnWDAP/3wOSIgZg3IlD15HT34YRcEm
6fskKKLv8RUMpLvmxjuoUZemC6kA+80x7M4dzTLrq1RduQ33gHaEWr16O5SZKO6V
fVDTA+iVSA9Kuh/K+dR8AppGki1ashVrzL3+0vUaya3rF15TagSwKdXN3N06mvwU
Pm6NnC+WXQJdj6MoSfjupsmO5L86tq57lShlUF3LN1wUANZzsRLvxTZZfQFKSaBr
UnVVPpPw3Vp+OCAYcZd+6c1cNLk6bVPWaByfuUqRO8IN6I6yLUIK6h5rW9kEoSJH
phBdqzfMxc57zrRg4lFu/hMUaCR3ag6o3CAG9QyXakc90o4TBT8+DblOPUdAPjix
cRGOhWOiMeKQVapf/tIcPCJkZP3VGRvZBWJal9F312zJpeq8ZvVWG9WHlkE8kCSk
kzw0R39CsWPaBSjAKOjd9M+6wU+YKqyy4/yXAqP40mgm349gavXgI4FRLohYTmfa
l3HMhhq8ojfVefrnksu/kOjK/AC7guxL+ITNtTIwJj/x9fY2aeuNJkHY6S4ZxMpB
iJ/myfT7CD25dwSn8+6diz7vY6EKJLMjJVyAoPwxzfauGfShKUh45dWjROmsHlox
ZK8W+7kd9eyz4MIgeavCQkJeLVB8XlkcIE/sPTKYJJmC2cLXHne9Bb4ESmBWqFbO
trMs4i6fkKu+17W4K+kr
=vurk
-----END PGP SIGNATURE-----