NTP安全漏洞公告

    NTP服务今天公告了几个高危漏洞，大概信息如下：

描述：包含缓冲区溢出等多个高危或低危漏洞。

危害：可以利用获取服务器权限完全控制服务器，至少可以造成服务器崩溃。

影响范围：只有升级到4.2.8才能解决所有漏洞，我们当前用的是4.2.6

漏洞验证：目前尚未公布可用于验证的攻击模块，为避免风险，建议直接升级。

缓解措施：可以在ntp.conf限制查询时间的来源机器，但是我们是开放给在互联网上的设备的，无法做这样的限制，由于poc未公布，也没有办法通过防火墙堵截，只能暂时关闭NTP服务，建议尽快直接升级。

更多信息和补丁参考以下地址：

http://support.ntp.org/bin/view/Main/SecurityNotice（详细内容贴在下面）

按照升级补丁流程，先在预发布验证功能OK再升级。

另外，由于NTP是个和其它业务无相关性的服务，可做单独完全隔离，降低风险。

 

Security Notice

• Notification Policy
• Reporting Security Issues
• Active Vulnerabilities
• Resolved Vulnerabilities
  • Weak default key in config_auth()
  • non-cryptographic random number generator with weak seed used by ntp-keygen to generate symmetric keys
  • Buffer overflow in crypto_recv()
  • Buffer overflow in ctl_putdata()
  • Buffer overflow in configure()
  • receive(): missing return on error
• Older Resolved Issues
  • DRDoS / Amplification Attack using ntpdc monlist command
  • DoS attack from certain NTP mode 7 packets
  • Remote exploit if autokey is enabled
  • Multiple OpenSSL signature verification API misuse
  • Buffer overflow in ntp_control:ctl_getitem() function
  • Internal overflow if date / time offset is greater than 34 years

Notification Policy

When we discover a security vulnerability in NTP we first notify institutional members of the NTP Consortium at Network Time Foundation, then CERT, and finally make a public announcement.

Reporting Security Issues

Security related bugs, confirmed or suspected, are to be reported by e-mail to security@ntp.org.

Please refrain from discussing potential security issues in public fora such as the comp.protocols.time.ntp Usenet news-group, our Bug Tracking system, bugs@ntp.org, or any other mailing-list.

Active Vulnerabilities

NTF's NTP Project has been notified of a number of vulnerabilities from Neel Mehta and Stephen Roettger of Google's Security Team. The two most serious of these issues and four less serious issues have been resolved as of ntp-4.2.8, which was released on 18 December 2014. There are still two less significant issues to be addressed. We're expecting to fix these within the next month.

Resolved Vulnerabilities

The following vulnerabilities have been reported for the Reference Implementation of NTP during the 20+ years that the NTP Project has existed.

Weak default key in config_auth()

• References: Sec 2665 / CVE-2014-9293 / VU#852879
• CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
• Versions: All NTP4 releases before 4.2.7p11
• Date Resolved: Dev (4.2.7p11) 28 Jan 2010
• Summary: If no auth key is set in the configuration file, ntpd would generate a random key on the fly. There were two problems with this: 1) the generated key was 31 bits in size, and 2) it used the (now weak) ntp_random() function, which was seeded with a 32 bit value and can only provide 32 bits of entropy. This was sufficient back in the late 1990s when this code was written. Not today.
• Mitigation - any of:
  • Upgrade to 4.2.7p11, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.
  • Put restrict ... noquery in your ntp.conf file, for non-trusted senders.
• Credit: This vulnerability was discovered in ntp-4.2.6 by Neel Mehta of the Google Security Team.

non-cryptographic random number generator with weak seed used by ntp-keygen to generate symmetric keys

• References: Sec 2666 / CVE-2014-9294 / VU#852879
• CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
• Versions: All NTP4 releases before 4.2.7p230
• Date Resolved: Dev (4.2.7p230) 01 Nov 2011
• Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to prepare a random number generator that was of good quality back in the late 1990s. The random numbers produced was then used to generate symmetric keys. In ntp-4.2.8 we use a current-technology cryptographic random number generator, either RAND_bytes from OpenSSL, or arc4random().
• Mitigation - any of:
  • Upgrade to 4.2.7p230, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.
  • Put restrict ... noquery in your ntp.conf file, for non-trusted senders.
• Credit: This vulnerability was discovered in ntp-4.2.6 by Stephen Roettger of the Google Security Team.

Buffer overflow in crypto_recv()

• References: Sec 2667 / CVE-2014-9295 / VU#852879
• CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
• Versions: All releases before 4.2.8
• Date Resolved: Stable (4.2.8) 18 Dec 2014
• Summary: When Autokey Authentication is enabled (i.e. the ntp.conf file contains a crypto pw ... directive) a remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process.
• Mitigation - any of:
  • Upgrade to 4.2.8, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page
  • Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.
  • Put restrict ... noquery in your ntp.conf file, for non-trusted senders.
• Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team.

Buffer overflow in ctl_putdata()

• References: Sec 2668 / CVE-2014-9295 / VU#852879
• Versions: All NTP4 releases before 4.2.8
• CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
• Date Resolved: Stable (4.2.8) 18 Dec 2014
• Summary: A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process.
• Mitigation - any of:
  • Upgrade to 4.2.8, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.
  • Put restrict ... noquery in your ntp.conf file, for non-trusted senders.
• Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team.

Buffer overflow in configure()

• References: Sec 2669 / CVE-2014-9295 / VU#852879
• Versions: All NTP4 releases before 4.2.8
• CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
• Date Resolved: Stable (4.2.8) 18 Dec 2014
• Summary: A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process.
• Mitigation - any of:
  • Upgrade to 4.2.8, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.
  • Put restrict ... noquery in your ntp.conf file, for non-trusted senders.
• Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team.

receive(): missing return on error

• References: Sec 2670 / CVE-2014-9296 / VU#852879
• Versions: All NTP4 releases before 4.2.8
• CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
• Date Resolved: Stable (4.2.8) 18 Dec 2014
• Summary: Code in ntp_proto.c:receive() is missing a return; in the code path where an error was detected, which meant processing did not stop when a specific rare error occurred. We haven't found a way for this bug to affect system integrity. If there is no way to affect system integrity the base CVSS score for this bug is 0. If there is one avenue through which system integrity can be partially affected, the base score becomes a 5. If system integrity can be partially affected via all three integrity metrics, the CVSS base score become 7.5.
• Mitigation:
  • Upgrade to 4.2.8, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page
  • or Remove or comment out all configuration directives beginning with the crypto keyword in your ntp.conf file.
• Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team.