==================================================================== CERT-Renater Note d'Information No. 2016/VULN183 _____________________________________________________________________ DATE : 02/05/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running NTP version prior to 4.2.8p7. ====================================================================== http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security ____________________________________________________________________ NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38. ntp-4.2.8p7 was released on 26 April 2016. It addresses 11 low- and medium-severity security issues, 16 bugfixes, and contains other improvements over 4.2.8p6. Please see the NTP Security Notice for vulnerability and mitigation details. April 2016 NTP-4.2.8p7 Security Vulnerability Announcement (Medium) NTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p7, released on Tuesday, 26 April 2016: Bug 3020 / CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering Reported by Matt Street and others of Cisco ASIG Bug 3012 / CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY Reported by Matthew Van Gundy of Cisco ASIG Bug 3011 / CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch Reported by Yihan Lian of the Cloud Security Team, Qihoo 360 Bug 3010 / CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated Reported by Yihan Lian of the Cloud Security Team, Qihoo 360 Bug 3009 / CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC Reported by Yihan Lian of the Cloud Security Team, Qihoo 360 Bug 3008 / CVE-2016-2519: ctl_getitem() return value not always checked Reported by Yihan Lian of the Cloud Security Team, Qihoo 360 Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos Reported by Stephen Gray and Matthew Van Gundy of Cisco ASIG Bug 2978 / CVE-2016-1548: Interleave-pivot - MITIGATION ONLY Reported by Miroslav Lichvar of RedHat and separately by Jonathan Gardner of Cisco ASIG Bug 2952 / CVE-2015-7704: KoD fix: peer associations were broken by the fix for NtpBug2901, AKA: Symmetric active/passive mode is broken Reported by Michael Tatarinov, NTP Project Developer Volunteer Bug 2945 / Bug 2901 / CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks Reported by Jonathan Gardner of Cisco ASIG Bug 2879 / CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing Reported independently by Loganaden Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. The following issues already listed above are "Mitigation only" and are expected to be fully resolved in an upcoming release. NtpBug3012 - Sybil vulnerability: ephemeral association attack - MITIGATION ONLY NtpBug2978 - Interleave pivot - MITIGATION ONLY The following issues were fixed in earlier releases and contain improvements in this p7 release: NtpBug2936 - Skeleton Key NtpBug2901 - Clients that receive a KoD should validate the origin timestamp field Timeline: 160426: ntp-4.2.8p7 released. 160418: pre-release patch availability announced to CERT. 160418: CERT notified. 160412: pre-release patches sent to authorized NTP Consortium members. 160221: CVE numbers requested from Mitre. 160219: Initial notification from Qihoo/360. Analysis begins. 160214: Advance notification sent to authorized NTP Consortium members. 160112: Initial notification from Cisco. Analysis begins. ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================