Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1863 SUSE Security Update: Security update for ntp 1 August 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ntp Publisher: SUSE Operating System: SUSE Impact/Access: Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-4957 CVE-2016-4956 CVE-2016-4955 CVE-2016-4954 CVE-2016-4953 CVE-2016-2519 CVE-2016-2518 CVE-2016-2517 CVE-2016-2516 CVE-2016-1551 CVE-2016-1550 CVE-2016-1549 CVE-2016-1548 CVE-2016-1547 CVE-2015-8158 CVE-2015-8138 CVE-2015-7979 CVE-2015-7978 CVE-2015-7977 CVE-2015-7976 CVE-2015-7975 CVE-2015-7974 CVE-2015-7973 CVE-2015-7871 CVE-2015-7855 CVE-2015-7854 CVE-2015-7853 CVE-2015-7852 CVE-2015-7851 CVE-2015-7850 CVE-2015-7849 CVE-2015-7848 CVE-2015-7705 CVE-2015-7704 CVE-2015-7703 CVE-2015-7702 CVE-2015-7701 CVE-2015-7692 CVE-2015-7691 CVE-2015-5300 CVE-2015-5194 CVE-2015-1799 CVE-2015-1798 Reference: ASB-2016.0074 ASB-2016.0046 ESB-2016.1549 ESB-2016.1525 ESB-2016.1512 ESB-2016.1041 ESB-2016.0177 ESB-2015.2694 ESB-2015.0933 - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for ntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1912-1 Rating: important References: #782060 #784760 #905885 #910063 #916617 #920183 #920238 #920893 #920895 #920905 #924202 #926510 #936327 #943218 #943221 #944300 #951351 #951559 #951629 #952611 #957226 #962318 #962784 #962802 #962960 #962966 #962970 #962988 #962995 #963000 #963002 #975496 #977450 #977451 #977452 #977455 #977457 #977458 #977459 #977461 #977464 #979302 #981422 #982056 #982064 #982065 #982066 #982067 #982068 #988417 #988558 #988565 Cross-References: CVE-2015-1798 CVE-2015-1799 CVE-2015-5194 CVE-2015-5300 CVE-2015-7691 CVE-2015-7692 CVE-2015-7701 CVE-2015-7702 CVE-2015-7703 CVE-2015-7704 CVE-2015-7705 CVE-2015-7848 CVE-2015-7849 CVE-2015-7850 CVE-2015-7851 CVE-2015-7852 CVE-2015-7853 CVE-2015-7854 CVE-2015-7855 CVE-2015-7871 CVE-2015-7973 CVE-2015-7974 CVE-2015-7975 CVE-2015-7976 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8138 CVE-2015-8158 CVE-2016-1547 CVE-2016-1548 CVE-2016-1549 CVE-2016-1550 CVE-2016-1551 CVE-2016-2516 CVE-2016-2517 CVE-2016-2518 CVE-2016-2519 CVE-2016-4953 CVE-2016-4954 CVE-2016-4955 CVE-2016-4956 CVE-2016-4957 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that solves 43 vulnerabilities and has 9 fixes is now available. Description: NTP was updated to version 4.2.8p8 to fix several security issues and to ensure the continued maintainability of the package. These security issues were fixed: * CVE-2016-4953: Bad authentication demobilized ephemeral associations (bsc#982065). * CVE-2016-4954: Processing spoofed server packets (bsc#982066). * CVE-2016-4955: Autokey association reset (bsc#982067). * CVE-2016-4956: Broadcast interleave (bsc#982068). * CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). * CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS (bsc#977459). * CVE-2016-1548: Prevent the change of time of an ntpd client or denying service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode (bsc#977461). * CVE-2016-1549: Sybil vulnerability: ephemeral association attack (bsc#977451). * CVE-2016-1550: Improve security against buffer comparison timing attacks (bsc#977464). * CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y * CVE-2016-2516: Duplicate IPs on unconfig directives could have caused an assertion botch in ntpd (bsc#977452). * CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey values are not properly validated (bsc#977455). * CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). * CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). * CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966). * CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). * CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). * CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). * CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). * CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in filenames (bsc#962802). * CVE-2015-7975: nextvar() missing length check (bsc#962988). * CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might have allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton" key (bsc#962960). * CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). * CVE-2015-5300: MITM attacker can force ntpd to make a step larger than the panic threshold (bsc#951629). * CVE-2015-5194: Crash with crafted logconfig configuration command (bsc#943218). * CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK (bsc#952611). * CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (bsc#952611). * CVE-2015-7854: Password Length Memory Corruption Vulnerability (bsc#952611). * CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow (bsc#952611). * CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability (bsc#952611). * CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#952611). * CVE-2015-7850: Clients that receive a KoD now validate the origin timestamp field (bsc#952611). * CVE-2015-7849: Prevent use-after-free trusted key (bsc#952611). * CVE-2015-7848: Prevent mode 7 loop counter underrun (bsc#952611). * CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#952611). * CVE-2015-7703: Configuration directives "pidfile" and "driftfile" should only be allowed locally (bsc#943221). * CVE-2015-7704: Clients that receive a KoD should validate the origin timestamp field (bsc#952611). * CVE-2015-7705: Clients that receive a KoD should validate the origin timestamp field (bsc#952611). * CVE-2015-7691: Incomplete autokey data packet length checks (bsc#952611). * CVE-2015-7692: Incomplete autokey data packet length checks (bsc#952611). * CVE-2015-7702: Incomplete autokey data packet length checks (bsc#952611). * CVE-2015-1798: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP required a correct MAC only if the MAC field has a nonzero length, which made it easier for man-in-the-middle attackers to spoof packets by omitting the MAC (bsc#924202). * CVE-2015-1799: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP performed state-variable updates upon receiving certain invalid packets, which made it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer (bsc#924202). These non-security issues were fixed: * Keep the parent process alive until the daemon has finished initialisation, to make sure that the PID file exists when the parent returns. * bsc#979302: Change the process name of the forking DNS worker process to avoid the impression that ntpd is started twice. * bsc#981422: Don't ignore SIGCHILD because it breaks wait(). * Separate the creation of ntp.keys and key #1 in it to avoid problems when upgrading installations that have the file, but no key #1, which is needed e.g. by "rcntp addserver". * bsc#957226: Restrict the parser in the startup script to the first occurrance of "keys" and "controlkey" in ntp.conf. * Enable compile-time support for MS-SNTP (--enable-ntp-signd) * bsc#975496: Fix ntp-sntp-dst.patch. * bsc#962318: Call /usr/sbin/sntp with full path to synchronize in start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which caused the synchronization to fail. * bsc#782060: Speedup ntpq. * bsc#951559: Fix the TZ offset output of sntp during DST. * bsc#916617: Add /var/db/ntp-kod. * bsc#951351: Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems. * Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted. * bnc#784760: Remove local clock from default configuration. * Fix incomplete backporting of "rcntp ntptimemset". * bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd. * Don't let "keysdir" lines in ntp.conf trigger the "keys" parser. * bsc#910063: Fix the comment regarding addserver in ntp.conf. * bsc#944300: Remove "kod" from the restrict line in ntp.conf. * bsc#905885: Use SHA1 instead of MD5 for symmetric keys. * bsc#926510: Re-add chroot support, but mark it as deprecated and disable it by default. * bsc#920895: Drop support for running chrooted, because it is an ongoing source of problems and not really needed anymore, given that ntp now drops privileges and runs under apparmor. * bsc#920183: Allow -4 and -6 address qualifiers in "server" directives. * Use upstream ntp-wait, because our version is incompatible with the new ntpq command line syntax. * bsc#920905: Adjust Util.pm to the Perl version on SLE11. * bsc#920238: Enable ntpdc for backwards compatibility. * bsc#920893: Don't use %exclude. * bsc#988417: Default to NTPD_FORCE_SYNC_ON_STARTUP="yes" * bsc#988565: Ignore errors when removing extra files during uninstallation * bsc#988558: Don't blindly guess the value to use for IP_TOS Security Issues: * CVE-2016-4953 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953> * CVE-2016-4954 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954> * CVE-2016-4955 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955> * CVE-2016-4956 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956> * CVE-2016-4957 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957> * CVE-2016-1547 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547> * CVE-2016-1548 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548> * CVE-2016-1549 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549> * CVE-2016-1550 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550> * CVE-2016-1551 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551> * CVE-2016-2516 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516> * CVE-2016-2517 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517> * CVE-2016-2518 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518> * CVE-2016-2519 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519> * CVE-2015-8158 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158> * CVE-2015-8138 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138> * CVE-2015-7979 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979> * CVE-2015-7978 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978> * CVE-2015-7977 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977> * CVE-2015-7976 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976> * CVE-2015-7975 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975> * CVE-2015-7974 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974> * CVE-2015-7973 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973> * CVE-2015-5300 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300> * CVE-2015-5194 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194> * CVE-2015-7871 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871> * CVE-2015-7855 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855> * CVE-2015-7854 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854> * CVE-2015-7853 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853> * CVE-2015-7852 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852> * CVE-2015-7851 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851> * CVE-2015-7850 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850> * CVE-2015-7849 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849> * CVE-2015-7848 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848> * CVE-2015-7701 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701> * CVE-2015-7703 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703> * CVE-2015-7704 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704> * CVE-2015-7705 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705> * CVE-2015-7691 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691> * CVE-2015-7692 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692> * CVE-2015-7702 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702> * CVE-2015-1798 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798> * CVE-2015-1799 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799> Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): ntp-4.2.8p8-0.7.1 ntp-doc-4.2.8p8-0.7.1 References: https://www.suse.com/security/cve/CVE-2015-1798.html https://www.suse.com/security/cve/CVE-2015-1799.html https://www.suse.com/security/cve/CVE-2015-5194.html https://www.suse.com/security/cve/CVE-2015-5300.html https://www.suse.com/security/cve/CVE-2015-7691.html https://www.suse.com/security/cve/CVE-2015-7692.html https://www.suse.com/security/cve/CVE-2015-7701.html https://www.suse.com/security/cve/CVE-2015-7702.html https://www.suse.com/security/cve/CVE-2015-7703.html https://www.suse.com/security/cve/CVE-2015-7704.html https://www.suse.com/security/cve/CVE-2015-7705.html https://www.suse.com/security/cve/CVE-2015-7848.html https://www.suse.com/security/cve/CVE-2015-7849.html https://www.suse.com/security/cve/CVE-2015-7850.html https://www.suse.com/security/cve/CVE-2015-7851.html https://www.suse.com/security/cve/CVE-2015-7852.html https://www.suse.com/security/cve/CVE-2015-7853.html https://www.suse.com/security/cve/CVE-2015-7854.html https://www.suse.com/security/cve/CVE-2015-7855.html https://www.suse.com/security/cve/CVE-2015-7871.html https://www.suse.com/security/cve/CVE-2015-7973.html https://www.suse.com/security/cve/CVE-2015-7974.html https://www.suse.com/security/cve/CVE-2015-7975.html https://www.suse.com/security/cve/CVE-2015-7976.html https://www.suse.com/security/cve/CVE-2015-7977.html https://www.suse.com/security/cve/CVE-2015-7978.html https://www.suse.com/security/cve/CVE-2015-7979.html https://www.suse.com/security/cve/CVE-2015-8138.html https://www.suse.com/security/cve/CVE-2015-8158.html https://www.suse.com/security/cve/CVE-2016-1547.html https://www.suse.com/security/cve/CVE-2016-1548.html https://www.suse.com/security/cve/CVE-2016-1549.html https://www.suse.com/security/cve/CVE-2016-1550.html https://www.suse.com/security/cve/CVE-2016-1551.html https://www.suse.com/security/cve/CVE-2016-2516.html https://www.suse.com/security/cve/CVE-2016-2517.html https://www.suse.com/security/cve/CVE-2016-2518.html https://www.suse.com/security/cve/CVE-2016-2519.html https://www.suse.com/security/cve/CVE-2016-4953.html https://www.suse.com/security/cve/CVE-2016-4954.html https://www.suse.com/security/cve/CVE-2016-4955.html https://www.suse.com/security/cve/CVE-2016-4956.html https://www.suse.com/security/cve/CVE-2016-4957.html https://bugzilla.suse.com/782060 https://bugzilla.suse.com/784760 https://bugzilla.suse.com/905885 https://bugzilla.suse.com/910063 https://bugzilla.suse.com/916617 https://bugzilla.suse.com/920183 https://bugzilla.suse.com/920238 https://bugzilla.suse.com/920893 https://bugzilla.suse.com/920895 https://bugzilla.suse.com/920905 https://bugzilla.suse.com/924202 https://bugzilla.suse.com/926510 https://bugzilla.suse.com/936327 https://bugzilla.suse.com/943218 https://bugzilla.suse.com/943221 https://bugzilla.suse.com/944300 https://bugzilla.suse.com/951351 https://bugzilla.suse.com/951559 https://bugzilla.suse.com/951629 https://bugzilla.suse.com/952611 https://bugzilla.suse.com/957226 https://bugzilla.suse.com/962318 https://bugzilla.suse.com/962784 https://bugzilla.suse.com/962802 https://bugzilla.suse.com/962960 https://bugzilla.suse.com/962966 https://bugzilla.suse.com/962970 https://bugzilla.suse.com/962988 https://bugzilla.suse.com/962995 https://bugzilla.suse.com/963000 https://bugzilla.suse.com/963002 https://bugzilla.suse.com/975496 https://bugzilla.suse.com/977450 https://bugzilla.suse.com/977451 https://bugzilla.suse.com/977452 https://bugzilla.suse.com/977455 https://bugzilla.suse.com/977457 https://bugzilla.suse.com/977458 https://bugzilla.suse.com/977459 https://bugzilla.suse.com/977461 https://bugzilla.suse.com/977464 https://bugzilla.suse.com/979302 https://bugzilla.suse.com/981422 https://bugzilla.suse.com/982056 https://bugzilla.suse.com/982064 https://bugzilla.suse.com/982065 https://bugzilla.suse.com/982066 https://bugzilla.suse.com/982067 https://bugzilla.suse.com/982068 https://bugzilla.suse.com/988417 https://bugzilla.suse.com/988558 https://bugzilla.suse.com/988565 https://download.suse.com/patch/finder/?keywords=e7685b9a0cc48dfc1cea383e011b438b - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV563GIx+lLeg9Ub1AQiVgw/9EUNQx5qoTiy5B0ZHh8FlMck1Xm2vqqll L7BSWWjCMGx8Fpzwql1rpX4GNGOuNaWzNBh7kLAhBYNqNC7hfPk/d0csIM8s70Jc FvGUfhYkyQ6o9DzLx2vu8TJRY5uHOE3tPFEf/MTSEGai1pN2BXnEl678XWQHuvJO SkTayKCpUukfBkrEO2h+W3SK6cFAHNNshKZRuNBJn1wftqXTy/JIVFKMDMOIZCZM AijlkjFNBDX+4I626g6asKyg6gGCq4uy4ZDhd/Dmgsei5hLlVP3ZUfKOOWb4tS5l jJtJmQxeHoRMW6yAcch7vj5gWhzHE+cPILKUPZ1viLNxgShqipdt9uF4YmppFxVS teVKg8V8uFFiqW4AibttFhBAavXlS99ecJiuu0jYg4EsWQKTYSSZkNuEbuMmO185 h0b18aayGHRhLLO7ORC2TI479pyS4UaT6tPoCZt/hxKRSMMB0TqtuGKEJLIhIUOb ah1hzv5HPTUAOPU4nLHSJO/z4H5kUMYvY+fYTrGGivLM/E8765AmpGL3OGGlDyFM g0aliO9Lv9z6ENSrhVo5Qz9IdR7s29WjysdfV+3BOaI0ShrT5S91on6WW4RJVvCd eFEAZwzwMYvIqm5ONwULLDkxKJfaAknH6TP/zp7v1cfB8A6XAzxrBg3q1LKswutv o5MrgSNksQs= =MEIs -----END PGP SIGNATURE-----