SUSE SLES10 Security Update : ntp (SUSE-SU-2016:1912-1)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

NTP was updated to version 4.2.8p8 to fix several security issues and
to ensure the continued maintainability of the package.

These security issues were fixed :

CVE-2016-4953: Bad authentication demobilized ephemeral associations
(bsc#982065).

CVE-2016-4954: Processing spoofed server packets (bsc#982066).

CVE-2016-4955: Autokey association reset (bsc#982067).

CVE-2016-4956: Broadcast interleave (bsc#982068).

CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).

CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS
(bsc#977459).

CVE-2016-1548: Prevent the change of time of an ntpd client or denying
service to an ntpd client by forcing it to change from basic
client/server mode to interleaved symmetric mode (bsc#977461).

CVE-2016-1549: Sybil vulnerability: ephemeral association attack
(bsc#977451).

CVE-2016-1550: Improve security against buffer comparison timing
attacks (bsc#977464).

CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y

CVE-2016-2516: Duplicate IPs on unconfig directives could have caused
an assertion botch in ntpd (bsc#977452).

CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey
values are not properly validated (bsc#977455).

CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound
with MATCH_ASSOC (bsc#977457).

CVE-2016-2519: ctl_getitem() return value not always checked
(bsc#977458).

CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966).

CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).

CVE-2015-7979: Off-path Denial of Service (DoS) attack on
authenticated broadcast mode (bsc#962784).

CVE-2015-7978: Stack exhaustion in recursive traversal of restriction
list (bsc#963000).

CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).

CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in
filenames (bsc#962802).

CVE-2015-7975: nextvar() missing length check (bsc#962988).

CVE-2015-7974: NTP did not verify peer associations of symmetric keys
when authenticating packets, which might have allowed remote attackers
to conduct impersonation attacks via an arbitrary trusted key, aka a
'skeleton' key (bsc#962960).

CVE-2015-7973: Replay attack on authenticated broadcast mode
(bsc#962995).

CVE-2015-5300: MITM attacker can force ntpd to make a step larger than
the panic threshold (bsc#951629).

CVE-2015-5194: Crash with crafted logconfig configuration command
(bsc#943218).

CVE-2015-7871: NAK to the Future: Symmetric association authentication
bypass via crypto-NAK (bsc#952611).

CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning
FAIL on some bogus values (bsc#952611).

CVE-2015-7854: Password Length Memory Corruption Vulnerability
(bsc#952611).

CVE-2015-7853: Invalid length data provided by a custom refclock
driver could cause a buffer overflow (bsc#952611).

CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability
(bsc#952611).

CVE-2015-7851: saveconfig Directory Traversal Vulnerability
(bsc#952611).

CVE-2015-7850: Clients that receive a KoD now validate the origin
timestamp field (bsc#952611).

CVE-2015-7849: Prevent use-after-free trusted key (bsc#952611).

CVE-2015-7848: Prevent mode 7 loop counter underrun (bsc#952611).

CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#952611).

CVE-2015-7703: Configuration directives 'pidfile' and 'driftfile'
should only be allowed locally (bsc#943221).

CVE-2015-7704: Clients that receive a KoD should validate the origin
timestamp field (bsc#952611).

CVE-2015-7705: Clients that receive a KoD should validate the origin
timestamp field (bsc#952611).

CVE-2015-7691: Incomplete autokey data packet length checks
(bsc#952611).

CVE-2015-7692: Incomplete autokey data packet length checks
(bsc#952611).

CVE-2015-7702: Incomplete autokey data packet length checks
(bsc#952611).

CVE-2015-1798: The symmetric-key feature in the receive function in
ntp_proto.c in ntpd in NTP required a correct MAC only if the MAC
field has a nonzero length, which made it easier for man-in-the-middle
attackers to spoof packets by omitting the MAC (bsc#924202).

CVE-2015-1799: The symmetric-key feature in the receive function in
ntp_proto.c in ntpd in NTP performed state-variable updates upon
receiving certain invalid packets, which made it easier for
man-in-the-middle attackers to cause a denial of service
(synchronization loss) by spoofing the source IP address of a peer
(bsc#924202).

These non-security issues were fixed :

Keep the parent process alive until the daemon has finished
initialisation, to make sure that the PID file exists when the parent
returns.

bsc#979302: Change the process name of the forking DNS worker process
to avoid the impression that ntpd is started twice.

bsc#981422: Don't ignore SIGCHILD because it breaks wait().

Separate the creation of ntp.keys and key #1 in it to avoid problems
when upgrading installations that have the file, but no key #1, which
is needed e.g. by 'rcntp addserver'.

bsc#957226: Restrict the parser in the startup script to the first
occurrance of 'keys' and 'controlkey' in ntp.conf.

Enable compile-time support for MS-SNTP (--enable-ntp-signd)

bsc#975496: Fix ntp-sntp-dst.patch.

bsc#962318: Call /usr/sbin/sntp with full path to synchronize in
start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which
caused the synchronization to fail.

bsc#782060: Speedup ntpq.

bsc#951559: Fix the TZ offset output of sntp during DST.

bsc#916617: Add /var/db/ntp-kod.

bsc#951351: Add ntp-ENOBUFS.patch to limit a warning that might happen
quite a lot on loaded systems.

Add ntp-fork.patch and build with threads disabled to allow name
resolution even when running chrooted.

bnc#784760: Remove local clock from default configuration.

Fix incomplete backporting of 'rcntp ntptimemset'.

bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.

Don't let 'keysdir' lines in ntp.conf trigger the 'keys' parser.

bsc#910063: Fix the comment regarding addserver in ntp.conf.

bsc#944300: Remove 'kod' from the restrict line in ntp.conf.

bsc#905885: Use SHA1 instead of MD5 for symmetric keys.

bsc#926510: Re-add chroot support, but mark it as deprecated and
disable it by default.

bsc#920895: Drop support for running chrooted, because it is an
ongoing source of problems and not really needed anymore, given that
ntp now drops privileges and runs under apparmor.

bsc#920183: Allow -4 and -6 address qualifiers in 'server' directives.

Use upstream ntp-wait, because our version is incompatible with the
new ntpq command line syntax.

bsc#920905: Adjust Util.pm to the Perl version on SLE11.

bsc#920238: Enable ntpdc for backwards compatibility.

bsc#920893: Don't use %exclude.

bsc#988417: Default to NTPD_FORCE_SYNC_ON_STARTUP='yes'

bsc#988565: Ignore errors when removing extra files during
uninstallation

bsc#988558: Don't blindly guess the value to use for IP_TOS

Security Issues :

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953'>CVE
-2016-4953</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954'>CVE
-2016-4954</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955'>CVE
-2016-4955</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956'>CVE
-2016-4956</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957'>CVE
-2016-4957</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547'>CVE
-2016-1547</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548'>CVE
-2016-1548</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549'>CVE
-2016-1549</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550'>CVE
-2016-1550</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551'>CVE
-2016-1551</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516'>CVE
-2016-2516</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517'>CVE
-2016-2517</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518'>CVE
-2016-2518</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519'>CVE
-2016-2519</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158'>CVE
-2015-8158</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138'>CVE
-2015-8138</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979'>CVE
-2015-7979</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978'>CVE
-2015-7978</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977'>CVE
-2015-7977</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976'>CVE
-2015-7976</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975'>CVE
-2015-7975</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974'>CVE
-2015-7974</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973'>CVE
-2015-7973</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300'>CVE
-2015-5300</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194'>CVE
-2015-5194</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871'>CVE
-2015-7871</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855'>CVE
-2015-7855</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854'>CVE
-2015-7854</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853'>CVE
-2015-7853</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852'>CVE
-2015-7852</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851'>CVE
-2015-7851</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850'>CVE
-2015-7850</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849'>CVE
-2015-7849</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848'>CVE
-2015-7848</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701'>CVE
-2015-7701</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703'>CVE
-2015-7703</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704'>CVE
-2015-7704</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705'>CVE
-2015-7705</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691'>CVE
-2015-7691</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692'>CVE
-2015-7692</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702'>CVE
-2015-7702</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798'>CVE
-2015-1798</a>

<a
href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799'>CVE
-2015-1799</a>

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956'
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957'
https://bugzilla.suse.com/782060
https://bugzilla.suse.com/784760
https://bugzilla.suse.com/905885
https://bugzilla.suse.com/910063
https://bugzilla.suse.com/916617
https://bugzilla.suse.com/920183
https://bugzilla.suse.com/920238
https://bugzilla.suse.com/920893
https://bugzilla.suse.com/920895
https://bugzilla.suse.com/920905
https://bugzilla.suse.com/924202
https://bugzilla.suse.com/926510
https://bugzilla.suse.com/936327
https://bugzilla.suse.com/943218
https://bugzilla.suse.com/943221
https://bugzilla.suse.com/944300
https://bugzilla.suse.com/951351
https://bugzilla.suse.com/951559
https://bugzilla.suse.com/951629
https://bugzilla.suse.com/952611
https://bugzilla.suse.com/957226
https://bugzilla.suse.com/962318
https://bugzilla.suse.com/962784
https://bugzilla.suse.com/962802
https://bugzilla.suse.com/962960
https://bugzilla.suse.com/962966
https://bugzilla.suse.com/962970
https://bugzilla.suse.com/962988
https://bugzilla.suse.com/962995
https://bugzilla.suse.com/963000
https://bugzilla.suse.com/963002
https://bugzilla.suse.com/975496
https://bugzilla.suse.com/977450
https://bugzilla.suse.com/977451
https://bugzilla.suse.com/977452
https://bugzilla.suse.com/977455
https://bugzilla.suse.com/977457
https://bugzilla.suse.com/977458
https://bugzilla.suse.com/977459
https://bugzilla.suse.com/977461
https://bugzilla.suse.com/977464
https://bugzilla.suse.com/979302
https://bugzilla.suse.com/981422
https://bugzilla.suse.com/982056
https://bugzilla.suse.com/982064
https://bugzilla.suse.com/982065
https://bugzilla.suse.com/982066
https://bugzilla.suse.com/982067
https://bugzilla.suse.com/982068
https://bugzilla.suse.com/988417
https://bugzilla.suse.com/988558
https://bugzilla.suse.com/988565
http://www.nessus.org/u?802995db
https://www.suse.com/security/cve/CVE-2015-1798.html
https://www.suse.com/security/cve/CVE-2015-1799.html
https://www.suse.com/security/cve/CVE-2015-5194.html
https://www.suse.com/security/cve/CVE-2015-5300.html
https://www.suse.com/security/cve/CVE-2015-7691.html
https://www.suse.com/security/cve/CVE-2015-7692.html
https://www.suse.com/security/cve/CVE-2015-7701.html
https://www.suse.com/security/cve/CVE-2015-7702.html
https://www.suse.com/security/cve/CVE-2015-7703.html
https://www.suse.com/security/cve/CVE-2015-7704.html
https://www.suse.com/security/cve/CVE-2015-7705.html
https://www.suse.com/security/cve/CVE-2015-7848.html
https://www.suse.com/security/cve/CVE-2015-7849.html
https://www.suse.com/security/cve/CVE-2015-7850.html
https://www.suse.com/security/cve/CVE-2015-7851.html
https://www.suse.com/security/cve/CVE-2015-7852.html
https://www.suse.com/security/cve/CVE-2015-7853.html
https://www.suse.com/security/cve/CVE-2015-7854.html
https://www.suse.com/security/cve/CVE-2015-7855.html
https://www.suse.com/security/cve/CVE-2015-7871.html
https://www.suse.com/security/cve/CVE-2015-7973.html
https://www.suse.com/security/cve/CVE-2015-7974.html
https://www.suse.com/security/cve/CVE-2015-7975.html
https://www.suse.com/security/cve/CVE-2015-7976.html
https://www.suse.com/security/cve/CVE-2015-7977.html
https://www.suse.com/security/cve/CVE-2015-7978.html
https://www.suse.com/security/cve/CVE-2015-7979.html
https://www.suse.com/security/cve/CVE-2015-8138.html
https://www.suse.com/security/cve/CVE-2015-8158.html
https://www.suse.com/security/cve/CVE-2016-1547.html
https://www.suse.com/security/cve/CVE-2016-1548.html
https://www.suse.com/security/cve/CVE-2016-1549.html
https://www.suse.com/security/cve/CVE-2016-1550.html
https://www.suse.com/security/cve/CVE-2016-1551.html
https://www.suse.com/security/cve/CVE-2016-2516.html
https://www.suse.com/security/cve/CVE-2016-2517.html
https://www.suse.com/security/cve/CVE-2016-2518.html
https://www.suse.com/security/cve/CVE-2016-2519.html
https://www.suse.com/security/cve/CVE-2016-4953.html
https://www.suse.com/security/cve/CVE-2016-4954.html
https://www.suse.com/security/cve/CVE-2016-4955.html
https://www.suse.com/security/cve/CVE-2016-4956.html
https://www.suse.com/security/cve/CVE-2016-4957.html
http://www.nessus.org/u?7baed9b6
https://www.tenable.com/security/research/tra-2015-04

Solution :

Update the affected ntp packages

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.4
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true