USN-3096-1 NTP vulnerabilities


Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected
  • Canonical Ubuntu 14.04 LTS
Description

Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973)

Matt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974)

Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976)

Stephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978)

Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979)

Jonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138)

Jonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158)

It was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727)

Stephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547)

Miroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548)

Matthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550)

Yihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516)

Yihan Lian discovered that NTP incorrectly handled certain peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518)

Jakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954)

Miroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955)

Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956)

In the default installation, attackers would be isolated by the NTP AppArmor profile.

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • Cloud Foundry BOSH stemcells are vulnerable, including:
    • All versions prior to 3146.24
    • 3151.x versions prior to 3151.2
    • 3232.x versions prior to 3232.22
    • 3233.x versions prior to 3233.2
    • 3262.x versions prior to 3262.21
    • Other versions prior to 3263.7
  • PCF Ops Manager versions prior to 1.6.24 and 1.7.x versions prior to 1.7.16 and 1.8.x versions prior to 1.8.7
  • PCF Elastic Runtime versions prior to 1.6.50 and 1.7.x versions prior to 1.7.32 and 1.8.x versions prior to 1.8.13
  • RabbitMQ for PCF versions prior to 1.5.17 and 1.6.x versions prior to 1.6.9 and 1.7.x versions prior to 1.7.4
  • Redis for PCF versions prior to 1.4.32 and 1.5.x versions prior to 1.5.22 and 1.6.x versions prior to 1.6.2
  • PCF Metrics versions prior to 1.0.16 and 1.1.x versions prior to 1.1.3
  • PCF JMX Bridge (Ops Metrics) versions prior to 1.4.26 and 1.6.x versions prior to 1.6.20 and 1.7.x versions prior to 1.7.4 and 1.8.x versions prior to 1.8.6
  • PCF Log Search versions prior to 1.0.1
  • Spring Cloud Services for PCF versions prior to 1.0.16 and 1.1.x versions prior to 1.1.7 and 1.2.x versions prior to 1.2.1
  • Single Sign-On for PCF versions prior to 1.0.18, 1.1.x versions prior to 1.1.2 and 1.2.x versions prior to 1.2.2
  • Push Notification for PCF versions prior to 1.4.25
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry team recommends upgrading to the following BOSH stemcells:
    • Upgrade all versions prior to 3146.x to 3146.24
    • Upgrade 3151.x versions to 3151.2
    • Upgrade 3232.x versions to 3232.22
    • Upgrade 3233.x versions to 3233.2
    • Upgrade 3262.x versions to 3262.21
    • Upgrade other versions to 3263.7
  • Upgrade PCF Ops Manager to 1.6.24 or 1.7.x versions to 1.7.16 or 1.8.x versions to 1.8.7
  • Upgrade PCF Elastic Runtime to 1.6.50 or 1.7.x versions to 1.7.32 or 1.8.x versions to 1.8.13
  • Upgrade RabbitMQ for PCF to 1.5.17 or 1.6.x versions to 1.6.9 or 1.7.x versions to 1.7.4
  • Upgrade Redis for PCF to 1.4.32 or 1.5.x versions to 1.5.22 or 1.6.x versions to 1.6.2
  • Upgrade PCF Metrics to 1.0.16 or 1.1.x versions prior to 1.1.3
  • Upgrade PCF JMX Bridge (Ops Metrics) to 1.4.26 or 1.6.x versions to 1.6.20 or 1.7.x versions to 1.7.4 or 1.8.x versions to 1.8.6
  • Upgrade PCF Log Search to 1.0.1
  • Upgrade Spring Cloud Services for PCF to 1.0.16 or 1.1.x versions to 1.1.7 or 1.2.x versions to 1.2.1
  • Upgrade Single Sign-On for PCF to 1.0.18, 1.1.x versions to 1.1.2 or 1.2.x versions to 1.2.2
  • Upgrade Push Notification for PCF to 1.4.25

Special Note for 1.7.x and 1.8.x Ops Manager Deployments

The 1.7.x release line of Ops Manager includes a new feature that allows tile stemcells to “float”, which will allow Operators to update their Ops Manager deployment once rather than installing all new Services product releases. If you upgrade one Service tile in Ops Manager 1.7.x or 1.8.x with the newly released stemcell, all tiles will automatically upgrade. For more information about the floating stemcell feature, refer to this document.

Credit

Matt Street, Aanchal Malhotra, Jonathan Gardner, Matthew Van Gundy, Stephen Gray, Loganaden Velvindron, Yihan Lian, Jakub Prokes, Miroslav Lichvar

References