CERT/CC Vulnerability Note VU#852879

Overview

The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client.

Description

The Network Time Protocol (NTP) provides networked systems and devices with a way to synchronize time for various services and applications. The reference implementation produced by the NTP Project (ntp.org) contains several vulnerabilities.

CWE-290: Authentication Bypass by Spoofing - CVE-2014-9298

The IPv6 address ::1 can be spoofed, allowing an attacker to bypass ACLs based on ::1.

CWE-754: Improper Check for Unusual or Exceptional Conditions - CVE-2014-9297

The length value in extension field pointers is not properly validated, allowing information leaks.

CWE-332: Insufficient Entropy in PRNG - CVE-2014-9293

If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated.

CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) - CVE-2014-9294

ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys.

CWE-121: Stack Buffer Overflow - CVE-2014-9295

A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process.

CWE-389: Error Conditions, Return Values, Status Codes - CVE-2014-9296

A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker.

The NTP Project provides more information about these issues in their security advisory.

The NTP Project implementation is widely used in operating system distributions and network products. These vulnerabilities affect ntpd acting as a server or client. CERT/CC is not aware of any public exploit of these vulnerabilities at this time.

The CVSS score below is based on the buffer overflow vulnerabilities (CVE-2014-9295).

Impact

The buffer overflow vulnerabilities in ntpd may allow a remote unauthenticated attacker to execute arbitrary malicious code with the privilege level of the ntpd process. The weak default key and non-cryptographic random number generator in ntp-keygen may allow an attacker to gain information regarding the integrity checking and authentication encryption schemes. More specifically, the weak default key allows access to private mode and control mode queries that require authentication, if not restricted by the configuration.

Solution

Apply an update

These issues have been addressed in ntp-4.2.8p1. The update may be downloaded from ntp.org.

Restrict status queries

As noted in the announcement for ntp-4.2.8:

The vulnerabilities listed below can be significantly mitigated by following the BCP of putting restrict default ...noqueryin the ntp.conf file. With the exception of: receive(): missing return on error References: Sec 2670 / CVE-2014-9296 / VU#852879 below (which is a limited-risk vulnerability), none of the recent vulnerabilities listed below can be exploited if the source IP is restricted from sending a 'query'-class packet by your ntp.conf file.

Use firewall rules

Install firewall rules that block ::1 IPv6 address from inappropriate network interfaces.

Disable autokey authentication

Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.

Vendor Information

852879

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Apple Affected

Cisco Systems, Inc. Affected

EfficientIP Affected

F5 Networks, Inc. Affected

FreeBSD Project Affected

Huawei Technologies Affected

NEC Corporation Affected

NTP Project Affected

OmniTI Affected

Red Hat, Inc. Affected

Watchguard Technologies, Inc. Affected

Belkin, Inc. Not Affected

Fortinet, Inc. Not Affected

OpenBSD Not Affected

Openwall GNU/*/Linux Not Affected

m0n0wall Not Affected

ACCESS Unknown

AT&T Unknown

Alcatel-Lucent Unknown

Arch Linux Unknown

Avaya, Inc. Unknown

Barracuda Networks Unknown

Blue Coat Systems Unknown

CA Technologies Unknown

CentOS Unknown

Check Point Software Technologies Unknown

Cray Inc. Unknown

D-Link Systems, Inc. Unknown

Debian GNU/Linux Unknown

DragonFly BSD Project Unknown

EMC Corporation Unknown

Engarde Secure Linux Unknown

Enterasys Networks Unknown

Ericsson Unknown

Extreme Networks Unknown

Fedora Project Unknown

Force10 Networks, Inc. Unknown

Foundry Networks, Inc. Unknown

Fujitsu Unknown

Gentoo Linux Unknown

Global Technology Associates, Inc. Unknown

Google Unknown

Hewlett-Packard Company Unknown

Hitachi Unknown

IBM Corporation Unknown

IBM Corporation (zseries) Unknown

IBM eServer Unknown

Infoblox Unknown

Intel Corporation Unknown

Intoto Unknown

Juniper Networks, Inc. Unknown

Mandriva S. A. Unknown

McAfee Unknown

Microsemi Unknown

Microsoft Corporation Unknown

MontaVista Software, Inc. Unknown

NEC Corporation Unknown

NetBSD Unknown

Nokia Unknown

Novell, Inc. Unknown

Oracle Corporation Unknown

Palo Alto Networks Unknown

Peplink Unknown

Process Software Unknown

Q1 Labs Unknown

QNX Software Systems Inc. Unknown

Quagga Unknown

SUSE Linux Unknown

SafeNet Unknown

Slackware Linux Inc. Unknown

SmoothWall Unknown

Snort Unknown

Sony Corporation Unknown

Sourcefire Unknown

Stonesoft Unknown

Symantec Unknown

The SCO Group Unknown

TippingPoint Technologies Inc. Unknown

Turbolinux Unknown

Ubuntu Unknown

Unisys Unknown

VMware Unknown

Vyatta Unknown

Wind River Systems, Inc. Unknown

ZyXEL Unknown

eSoft, Inc. Unknown

netfilter Unknown

View all 87 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal	5.9	E:POC/RL:OF/RC:C
Environmental	5.9	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

The NTP Project credits Stephen Roettger and Neel Mehta of the Google Security Team for discovering these vulnerabilities.

This document was written by Garret Wassermann.

Other Information

CVE IDs:	CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296, CVE-2014-9297, CVE-2014-9298
Date Public:	2014-12-19
Date First Published:	2014-12-19
Date Last Updated:	2015-10-27 02:22 UTC
Document Revision:	124

Software Engineering Institute

CERT Coordination Center

NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated)

Vulnerability Note VU#852879