Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

EGI CSIRT:Alerts/Ntp-2015-01-06

From EGIWiki
Jump to navigation Jump to search
** WHITE information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **


Title:       EGI CSIRT alert 'High' Risk - CVE-2014-9295 - Remote code execution in NTP - 
             [EGI-ADV-20150106] 

Date:        2015-01-07 
Updated:    

URL:         https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Ntp-2015-01-06  


Introduction
============

A security notice has been made by NTP [R 1] describing various vulnerabilities, 
including remote code execution. 

This vulnerability is not exploitable in the default configuration of NTP.

This has been resolved, and sites are recommended to update. In particular, sites are recommended
to ensure they do not have the combination of a vulnerable version of NTP and configuration which 
allows the vulnerability to be exploited. 



Details
=======

A remote attacker can send a carefully crafted packet that can overflow a stack buffer and 
potentially allow malicious code to be executed with the privilege level of the ntpd process.

This is exploitable when Autokey Authentication is enabled (i.e. the ntp.conf
 file contains a 'crypto pw ...' directive).

More info is available on the ntp page [R 1] NVD page [R 2] and the NTP site [R 3]


Risk category
=============

This issue has been assessed as 'High'  the EGI CSIRT and EGI SVG Risk Assessment Team 


Affected software
=================

This has been fixed in NTP version to 4.2.8.

Earlier versions are likely to be vulnerable. 


Mitigation
==========

This is not exploitable in the default configuration of NTP. 


Component installation information
==================================

Sites should upgrade to NTP version 4.2.8 or later. 


Updates are available for the following RHEL-compatibles

 - CentOS,
http://lists.centos.org/pipermail/centos-announce/2014-December/020852.html
and
http://lists.centos.org/pipermail/centos-announce/2014-December/020851.html

 - RedHat, https://rhn.redhat.com/errata/RHSA-2014-2024.html and https://rhn.redhat.com/errata/RHSA-2014-2025.html

 - Scientific Linux,
https://www.scientificlinux.org/sl-errata/slsa-20142024-1/ and https://www.scientificlinux.org/sl-errata/slsa-20142025-1/



Recommendations
===============

Sites are recommended to update relevant components if they have not done so already, and in 
particular to check that they do not have the combination of a vulnerable component and the 
configuration which exposes the vulnerability. 


Credit
======

CSIRT and SVG were alerted to this vulnerability by Leif Nixon. 

References
==========

[R 1] NTP site http://support.ntp.org/bin/view/Main/SecurityNotice


[R 2] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295


[R 3] Redhat Notice https://bugzilla.redhat.com/show_bug.cgi?id=1176037#c11

Timeline  
========
Yyyy-mm-dd

2014-12-19 EGI CSIRT and SVG alerted to this Vulnerability by Leif Nixon.  
2014-12-19 Agreed not critical for EGI, therefore no urgent action. 
2015-01-05 Agreed it needs risk assessing in EGI IRTF meeting. 
2015-01-05 Assessment by the EGI Software Vulnerability Group/CSIRT agreed as 'High' and that 
alert/advisory should be sent. 
2015-01-06 Alert issued. 



On behalf of the EGI CSIRT,