NTP Classic announced 10 new CVEs yesterday. Of them, six have no impact on NTPsec:
CVE-2016-9311: Trap crash CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS vector CVE-2016-7427: Broadcast Mode Replay Prevention DoS CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS CVE-2016-9312: Windows: ntpd DoS by oversized UDP packet CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass One we independently found and fixed in 0.9.4 but it impacts 0.9.0 through 0.9.3: CVE-2016-7433: Reboot sync calculation problem Note that we didn't treat this one as a security issue at the time. In retrospect, we probably should have. Low severity, but a vulnerability nonetheless. One is bogus: CVE-2016-7426: Client rate limiting and server responses The behavior described in this advisory reflects rate-limiting working as designed, and the resulting potential for denial of service is a well-understood consequence that I've been harping about for years. I may add support for a configuration option to exempt mode 4 packets from rate-limiting, but I'm not going to treat this as an urgent security issue. Finally, two do impact NTPsec: CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal() CVE-2016-7429: Interface selection attack I've ported the patches for these issues from NTP Classic and pushed them to HEAD. Of these issues, only the first is worth worrying about: processing certain malformed mode 6 (i.e., ntpq) packets can trigger a null pointer dereference in ntpd, resulting in a crash. Use of 'restrict noquery' directives is sufficient to prevent the vulnerable code from executing, so if you system is configured to only allow ntpq queries from localhost then this is not remotely exploitable. CVE-2016-7429 is another DoS vulnerability, but in order for it to be exploitable you have to have disabled RP filtering in your kernel. Furthermore, the attacker needs to be positioned on a network interface different from the one you use to access your time servers. So, e.g., if you're running ntpd on your home router and have RP filtering turned off, then an adversary on the internet can prevent you from syncing with time servers on your LAN, and an adversary on your LAN can prevent you form syncing with time servers on the internet. I'm not quite ready for us to tag a release yet. I still need to update the NEWS file, and more importantly I need to finish up some testing, cleanup, and documentation updates left over from my protocol refactor. I'll get this done ASAP, hopefully by tomorrow. _______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
