ArchLinux: 201502-7: ntp: multiple issues
Summary
- CVE-2014-9297 (information disclosure, denial of service)
The vallen packet value is not validated in several code paths in
ntp_crypto.c which can lead to information leakage or a possible crash.
- CVE-2014-9298 (access restriction bypass)
While available kernels will prevent 127.0.0.1 addresses from
"appearing" on non-localhost IPv4 interfaces, some kernels do not offer
the same protection for ::1 source addresses on IPv6 interfaces. Since
NTP's access control is based on source address and localhost addresses
generally have no restrictions, an attacker can send malicious control
and configuration packets by spoofing ::1 addresses from the outside.
Resolution
Upgrade to 4.2.8.p1-1.
# pacman -Syu "ntp>=4.2.8.p1-1"
The problems have been fixed upstream in version 4.2.8.p1.
References
https://www.ntp.org/support/securitynotice/ https://www.ntp.org/support/securitynotice/ https://access.redhat.com/security/cve/CVE-2014-9297 https://access.redhat.com/security/cve/CVE-2014-9298
Workaround
- CVE-2014-9297 Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.
- CVE-2014-9298
Install firewall rules to block packets claiming to come from ::1 from inappropriate network interfaces.