SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   ntp Vendors:   ntp.org
(Red Hat Issues Fix) ntp Multiple Bugs Let Remote or Local Users Cause the Target Service to Crash
SecurityTracker Alert ID:  1040670
SecurityTracker URL:  http://securitytracker.com/id/1040670
CVE Reference:   CVE-2017-6462, CVE-2017-6463, CVE-2017-6464   (Links to External Site)
Date:  Apr 11 2018
Impact:   Denial of service via local system, Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.2.8p9 and prior
Description:   Multiple vulnerabilities were reported in ntp. A remote or local user can cause the target service to crash.

A remote authenticated user can set a specially crafted configuration directive to cause the target ntpd service to crash [CVE-2017-6464].

A local user that can load a specially crafted '/dev/datum/' device can trigger a buffer overflow in datum_pts_receive() in the legacy Datum Programmable Time Server refclock driver and cause denial of service conditions [CVE-2017-6462].

A remote authenticated user can send a specially crafted ':config' directive to trigger a segmentation fault on the target NTP server [CVE-2017-6463].

A local user can cause DLLs to be executed with elevated privileges and cause denial of service conditions on Windows-based systems [CVE-2017-6455].

A local user can supply specially crafted command line parameters to trigger a stack overflow in addSourceToRegistry() on Windows-based systems [CVE-2017-6452].

A remote user can cause a data structure to be terminated incorrectly on Windows-based systems [CVE-2017-6459].

A remote user can send specially crafted data to trigger an overflow in the ctl_put() function and cause the target service to crash [CVE-2017-6458].

A remote user may be able to trigger an out-of-bounds memory write error in mx4200_send() on systems with the legacy MX4200 refclock enabled and cause the target service to crash [CVE-2017-6451].

A remote ntpd server can trigger a stack buffer overflow in ntpq when return a restriction list to cause the target ntpq service to crash [CVE-2017-6460].

A remote user that can spoof servers can exploit a timestamp origin check flaw and cause timestamp reset replies to be dropped [CVE-2016-9042].

Cure53 and Matthew Van Gundy of Cisco ASIG reported these vulnerabilities.

Impact:   A remote or local user can cause the target service to crash.
Solution:   Red Hat has issued a fix for CVE-2017-6462, CVE-2017-6463, and CVE-2017-6464.

The Red Hat advisory is available at:

https://access.redhat.com/errata/RHSA-2018:0855

Vendor URL:  access.redhat.com/errata/RHSA-2018:0855 (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error, State error
Underlying OS:  Linux (Red Hat Enterprise)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Mar 24 2017 ntp Multiple Bugs Let Remote or Local Users Cause the Target Service to Crash



 Source Message Contents

Subject:  [RHSA-2018:0855-01] Moderate: ntp security, bug fix, and enhancement update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: ntp security, bug fix, and enhancement update
Advisory ID:       RHSA-2018:0855-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:0855
Issue date:        2018-04-10
CVE Names:         CVE-2017-6462 CVE-2017-6463 CVE-2017-6464 
=====================================================================

1. Summary:

An update for ntp is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, ppc64le, s390x
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - aarch64, noarch, ppc64le, s390x

3. Description:

The Network Time Protocol (NTP) is used to synchronize a computer's time
with another referenced time source. These packages include the ntpd
service which continuously adjusts system time and utilities used to query
and configure the ntpd service.

Security Fix(es):

* ntp: Authenticated DoS via Malicious Config Option (CVE-2017-6463)

* ntp: Denial of Service via Malformed Config (CVE-2017-6464)

* ntp: Buffer Overflow in DPTS Clock (CVE-2017-6462)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank the NTP project for reporting these issues.
Upstream acknowledges Cure53 as the original reporter of these issues.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.5 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the ntpd daemon will restart automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1420453 - Typos in ntpd man page
1433987 - CVE-2017-6464 ntp: Denial of Service via Malformed Config
1433995 - CVE-2017-6462 ntp: Buffer Overflow in DPTS Clock
1434002 - CVE-2017-6463 ntp: Authenticated DoS via Malicious Config Option
1442083 - Delayed name resolving fails when fips is enabled
1466947 - ntpdate.service should start after network-online.target
1491797 - RFE:  Backport Spectracom TSYNC driver to ntp
1493452 - ntpd clears STA_UNSYNC on start

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
ntp-4.2.6p5-28.el7.src.rpm

x86_64:
ntp-4.2.6p5-28.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-28.el7.x86_64.rpm
ntpdate-4.2.6p5-28.el7.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
ntp-doc-4.2.6p5-28.el7.noarch.rpm
ntp-perl-4.2.6p5-28.el7.noarch.rpm

x86_64:
ntp-debuginfo-4.2.6p5-28.el7.x86_64.rpm
sntp-4.2.6p5-28.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
ntp-4.2.6p5-28.el7.src.rpm

x86_64:
ntp-4.2.6p5-28.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-28.el7.x86_64.rpm
ntpdate-4.2.6p5-28.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:
ntp-doc-4.2.6p5-28.el7.noarch.rpm
ntp-perl-4.2.6p5-28.el7.noarch.rpm

x86_64:
ntp-debuginfo-4.2.6p5-28.el7.x86_64.rpm
sntp-4.2.6p5-28.el7.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
ntp-4.2.6p5-28.el7.src.rpm

ppc64:
ntp-4.2.6p5-28.el7.ppc64.rpm
ntp-debuginfo-4.2.6p5-28.el7.ppc64.rpm
ntpdate-4.2.6p5-28.el7.ppc64.rpm

ppc64le:
ntp-4.2.6p5-28.el7.ppc64le.rpm
ntp-debuginfo-4.2.6p5-28.el7.ppc64le.rpm
ntpdate-4.2.6p5-28.el7.ppc64le.rpm

s390x:
ntp-4.2.6p5-28.el7.s390x.rpm
ntp-debuginfo-4.2.6p5-28.el7.s390x.rpm
ntpdate-4.2.6p5-28.el7.s390x.rpm

x86_64:
ntp-4.2.6p5-28.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-28.el7.x86_64.rpm
ntpdate-4.2.6p5-28.el7.x86_64.rpm

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7):

Source:
ntp-4.2.6p5-28.el7.src.rpm

aarch64:
ntp-4.2.6p5-28.el7.aarch64.rpm
ntp-debuginfo-4.2.6p5-28.el7.aarch64.rpm
ntpdate-4.2.6p5-28.el7.aarch64.rpm

ppc64le:
ntp-4.2.6p5-28.el7.ppc64le.rpm
ntp-debuginfo-4.2.6p5-28.el7.ppc64le.rpm
ntpdate-4.2.6p5-28.el7.ppc64le.rpm

s390x:
ntp-4.2.6p5-28.el7.s390x.rpm
ntp-debuginfo-4.2.6p5-28.el7.s390x.rpm
ntpdate-4.2.6p5-28.el7.s390x.rpm

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7):

aarch64:
ntp-debuginfo-4.2.6p5-28.el7.aarch64.rpm
sntp-4.2.6p5-28.el7.aarch64.rpm

noarch:
ntp-doc-4.2.6p5-28.el7.noarch.rpm
ntp-perl-4.2.6p5-28.el7.noarch.rpm

ppc64le:
ntp-debuginfo-4.2.6p5-28.el7.ppc64le.rpm
sntp-4.2.6p5-28.el7.ppc64le.rpm

s390x:
ntp-debuginfo-4.2.6p5-28.el7.s390x.rpm
sntp-4.2.6p5-28.el7.s390x.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:
ntp-doc-4.2.6p5-28.el7.noarch.rpm
ntp-perl-4.2.6p5-28.el7.noarch.rpm

ppc64:
ntp-debuginfo-4.2.6p5-28.el7.ppc64.rpm
sntp-4.2.6p5-28.el7.ppc64.rpm

ppc64le:
ntp-debuginfo-4.2.6p5-28.el7.ppc64le.rpm
sntp-4.2.6p5-28.el7.ppc64le.rpm

s390x:
ntp-debuginfo-4.2.6p5-28.el7.s390x.rpm
sntp-4.2.6p5-28.el7.s390x.rpm

x86_64:
ntp-debuginfo-4.2.6p5-28.el7.x86_64.rpm
sntp-4.2.6p5-28.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
ntp-4.2.6p5-28.el7.src.rpm

x86_64:
ntp-4.2.6p5-28.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-28.el7.x86_64.rpm
ntpdate-4.2.6p5-28.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:
ntp-doc-4.2.6p5-28.el7.noarch.rpm
ntp-perl-4.2.6p5-28.el7.noarch.rpm

x86_64:
ntp-debuginfo-4.2.6p5-28.el7.x86_64.rpm
sntp-4.2.6p5-28.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-6462
https://access.redhat.com/security/cve/CVE-2017-6463
https://access.redhat.com/security/cve/CVE-2017-6464
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-US/red_hat_enterprise_linux/7/html/7.5_release_notes/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFazHlzXlSAg2UNWIIRAth7AKCMzb5lhGgvBZAYA3FELEtX8MJgIQCgjDiS
2HCCsCGACp0FtOU6jFkprKo=
=B7P4
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC