diff options
author | Gordon Tetlow <gordon@FreeBSD.org> | 2018-03-07 06:45:08 +0000 |
---|---|---|
committer | Gordon Tetlow <gordon@FreeBSD.org> | 2018-03-07 06:45:08 +0000 |
commit | e614d59b964b007b662a23faf4e4bc35a13fcbb0 (patch) | |
tree | 5f4acfe9b1e96934a5d03ce83b4b07f030e41811 /share/security/advisories | |
parent | da0f1f5085871f914a0a139f6e82345c9ce0e694 (diff) | |
download | doc-e614d59b964b007b662a23faf4e4bc35a13fcbb0.tar.gz doc-e614d59b964b007b662a23faf4e4bc35a13fcbb0.zip |
Add SA-18:01, SA-18:02, EN-18:01, EN-18:02.
Approved by: so
Notes
Notes:
svn path=/head/; revision=51463
Diffstat (limited to 'share/security/advisories')
-rw-r--r-- | share/security/advisories/FreeBSD-EN-18:01.tzdata.asc | 149 | ||||
-rw-r--r-- | share/security/advisories/FreeBSD-EN-18:02.file.asc | 144 | ||||
-rw-r--r-- | share/security/advisories/FreeBSD-SA-18:01.ipsec.asc | 144 | ||||
-rw-r--r-- | share/security/advisories/FreeBSD-SA-18:02.ntp.asc | 200 |
4 files changed, 637 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-EN-18:01.tzdata.asc b/share/security/advisories/FreeBSD-EN-18:01.tzdata.asc new file mode 100644 index 0000000000..382de9e884 --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-18:01.tzdata.asc @@ -0,0 +1,149 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-18:01.tzdata Errata Notice + The FreeBSD Project + +Topic: Timezone database information update + +Category: contrib +Module: zoneinfo +Announced: 2018-03-07 +Credits: Philip Paeps +Affects: All supported versions of FreeBSD +Corrected: 2018-01-27 13:29:55 UTC (stable/11, 11.1-STABLE) + 2018-03-07 06:01:44 UTC (releng/11.1, 11.1-RELEASE-p7) + 2018-01-27 13:34:14 UTC (stable/10, 10.4-STABLE) + 2018-03-07 06:01:44 UTC (releng/10.4, 10.4-RELEASE-p6) + 2018-03-07 06:01:44 UTC (releng/10.3, 10.3-RELEASE-p27) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The tzsetup(8) program allows the user to specify the default local timezone. +Based on the selected timezone, tzsetup(8) copies one of the files from +/usr/share/zoneinfo to /etc/localtime. This file actually controls the +conversion. + +II. Problem Description + +Several changes in Daylight Savings Time happened after previous FreeBSD +releases were released that would affect many people who live in different +countries. Because of these changes, the data in the zoneinfo files need to +be updated, and if the local timezone on the running system is affected, +tzsetup(8) needs to be run so the /etc/localtime is updated. + +III. Impact + +An incorrect time will be displayed on a system configured to use one of the +affected timezones if the /usr/share/zoneinfo and /etc/localtime files are +not updated, and all applications on the system that rely on the system time, +such as cron(8) and syslog(8), will be affected. + +IV. Workaround + +The system administrator can install an updated timezone database from the +misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected. + +Applications that store and display times in Coordinated Universal Time (UTC) +are not affected. + +V. Solution + +Please note that some third party software, for instance PHP, Ruby, Java and +Perl, may be using different zoneinfo data source, in such cases this +software must be updated separately. For software packages that is installed +via binary packages, they can be upgraded by executing `pkg upgrade'. + +Following the instructions in this Errata Notice will update all of the +zoneinfo files to be the same as what was released with FreeBSD release. + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. Restart all the affected +applications and daemons, or reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all the affected applications and daemons, or reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-18:01/tzdata-2018c.patch +# fetch https://security.FreeBSD.org/patches/EN-18:01/tzdata-2018c.patch.asc +# gpg --verify tzdata-2018c.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all the affected applications and daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r328476 +releng/10.3/ r330568 +releng/10.4/ r330568 +stable/11/ r328475 +releng/11.1/ r330568 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:01.tzdata.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhfZfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJp7Q//fHWkVYNLtrjtWwhWdklnNdJq16V4Jnvd4bniw9O9tlWBZlQPwFB4Ez/l +GNLqamLhgakaFXFE9oISjqn1LvNZOoaIDKHVs9KRkTEWpGZaIVRVPyHkZsGImG4A +ale+8grJBcyepZPxXGbmEcPsrGPlOs5M3LsQabwEvuPW8yf9CLAh5IOkmD7r7qMJ +zbhLKW/rKQOq9Weka3XZSuVXXi1h536tmGPkQoj0S+k73d0X67E5jlFCOFo8Q/yh +qqsIXRNrvvfieVujUtTRwYrbCi6Omngj6lNZWCOO7QUNKd0YoEgsdj/tAxZ+cwwn +Z7J55ARBD+/dkRAFbZaqryPFuznDA3+bPS/oKJfyVdIDWC4gT38L8WUFMSRpeFbr +BdZMUdoxvj2NRjRejgO/kii7JDzg2+nztGmt8hw0z4lNt5ZXIc2W4+ou7oEaAr5i +YoM95ZxwnNe5JEgYXWOJ8f4krB1GICLk0KQZ38P1kP2jQRs52OtQKNBRw3UVZLEV +SnFSACTNYSQzE3CajEgVQ/cfg3+KMA0fYbYdmA5ZXekQqjSMPeqrui/z+9C57Bjm +6+4qTpzST8oJbNBOGlU2uncIcYllaWSrMQ2kRWmq73O/PUMhoPhukahPeYEMj8PR +STD8RLoN9Rp+6GdZfLndLBl6ZJHOFKY0yd6NYsGlj7AsjJwsgKw= +=mVpJ +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-EN-18:02.file.asc b/share/security/advisories/FreeBSD-EN-18:02.file.asc new file mode 100644 index 0000000000..3fa8fb1fff --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-18:02.file.asc @@ -0,0 +1,144 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-18:02.file Errata Notice + The FreeBSD Project + +Topic: Version and security update of file(1) and libmagic(3) + +Category: contrib +Module: file +Announced: 2018-03-07 +Affects: All supported versions of FreeBSD. +Corrected: 2018-02-05 08:20:11 UTC (stable/11, 11.1-STABLE) + 2018-03-07 06:04:25 UTC (releng/11.1, 11.1-RELEASE-p7) + 2018-02-05 08:50:34 UTC (stable/10, 10.4-STABLE) + 2018-03-07 06:04:25 UTC (releng/10.4, 10.4-RELEASE-p6) + 2018-03-07 06:04:25 UTC (releng/10.3, 10.3-RELEASE-p27) +CVE Name: CVE-2017-1000249 + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The file(1) utility attempts to classify file system objects based on +filesystem, magic number and language tests. + +The libmagic(3) library provides most of the functionality of file(1) and +may be used by other applications. + +II. Problem Description + +The file(1) utility contains a stack based buffer overflow when parsing +a specially crafted input file. + +III. Impact + +The issue lets an attacker overwrite a fixed 20 bytes stack buffer with +with a specially crafted .notes section in an ELF binary file. + +IV. Workaround + +No workaround is available, but systems where file(1) and other applications +using libmagic(3) are never run on untrusted input are not vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.3] +# fetch https://security.FreeBSD.org/patches/EN-18:02/file-10.3.patch +# fetch https://security.FreeBSD.org/patches/EN-18:02/file-10.3.patch.asc +# gpg --verify file-10.3.patch.asc + +[FreeBSD 10.4] +# fetch https://security.FreeBSD.org/patches/EN-18:02/file-10.4.patch +# fetch https://security.FreeBSD.org/patches/EN-18:02/file-10.4.patch.asc +# gpg --verify file-10.4.patch.asc + +[FreeBSD 11.1] +# fetch https://security.FreeBSD.org/patches/EN-18:02/file-11.patch +# fetch https://security.FreeBSD.org/patches/EN-18:02/file-11.patch.asc +# gpg --verify file-11.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r328875 +releng/10.3/ r330569 +releng/10.4/ r330569 +stable/11/ r328874 +releng/11.1/ r330569 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000249> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:02.file.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhmJfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLAmg/+Ls59X/iLsmZiRvMiqfxI78P7FYuvTZ/6It0oaElmbswoaIDs3NF1c+II +lcKYwFyXPs4ge/9P4k4pz9bWN7IZcMlGuzDalWSpywF2y3I/6zCNOU2Xyzz4LLVx +wrLuWbTYqXFq6bgYsT8BBOANIadH5tjCfvO7DXOtRHyfUK5DJqsT+xMyv6R4Kncv +VnwjyBNkutT/kAkWYYdqJYLR7uhW2NmVk/57Un6lnGxsLUMgfL8jxzsTlGOa90q9 +0fmGVTwkHxqfxqVSd9+lymISuuw4pg2Ar8bY0AKzMjhQTVMhEtLEsn0N+VbLg6Ns +6HCuPsYwDtGLJ8hd44JPCfbzxzOAW08flUwgu1U5E4e+sUIlKMTOhKxt/HrH+JFk +OyzLDytuv2364lMepThzO4++vWZkErxfa5uJFjjrax5w+WECyEddrUJG3HovOxMd +YXD/dBSulgxaAgVQLXhn1AI+BUR5rD59wsmi6rEYFDXhAfTxNtrHXp1vIoHiW4CO +a8jVPHfFcSuNzLfi+hE/QV8q2RWVOseYlOey0vme4h0upzi3HKQ8WPvUQUrHmDLw +D0Hmr6m9PpyoKFnh2UlM4RiEMf3RO4o4nkRHzPp40LPawzmOmilSmPwv/HasBe2z +X49GD/ortXLxn7UmGqjkIEApOo9me8lHxCYtODQC73BwZdFNrP4= +=PpWQ +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-18:01.ipsec.asc b/share/security/advisories/FreeBSD-SA-18:01.ipsec.asc new file mode 100644 index 0000000000..a4e2dfeebe --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-18:01.ipsec.asc @@ -0,0 +1,144 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-18:01.ipsec Security Advisory + The FreeBSD Project + +Topic: ipsec validation and use-after-free + +Category: core +Module: ipsec +Announced: 2018-03-07 +Credits: Maxime Villard +Affects: All supported versions of FreeBSD. +Corrected: 2018-02-24 13:04:02 UTC (stable/11, 11.1-STABLE) + 2018-03-07 05:53:35 UTC (releng/11.1, 11.1-RELEASE-p7) + 2018-03-07 05:47:48 UTC (stable/10, 10.4-STABLE) + 2018-03-07 05:53:35 UTC (releng/10.4, 10.4-RELEASE-p6) + 2018-03-07 05:53:35 UTC (releng/10.3, 10.3-RELEASE-p27) +CVE Name: CVE-2018-6916 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The IPsec suite of protocols provide network level security for IPv4 and IPv6 +packets. FreeBSD includes software originally developed by the KAME project +which implements the various protocols that make up IPsec. + +In IPsec, the IP Authentication Header (AH) is used to provide protection +against replay attacks and connectionless integrity and data origin +authentication for IP datagrams. + +II. Problem Description + +Due to a lack of strict checking, an attacker from a trusted host can +send a specially constructed IP packet that may lead to a system crash. + +Additionally, a use-after-free vulnerability in the AH handling code could +cause unpredictable results. + +III. Impact + +Access to out of bounds or freed mbuf data can lead to a kernel panic or +other unpredictable results. + +IV. Workaround + +No workaround is available, but systems not using IPsec are not vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. +And reboot the system. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +And reboot the system + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.x] +# fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch +# fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch.asc +# gpg --verify ipsec-10.patch.asc + +[FreeBSD 11.1] +# fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch +# fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch.asc +# gpg --verify ipsec-11.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r330565 +releng/10.3/ r330566 +releng/10.4/ r330566 +stable/11/ r329907 +releng/11.1/ r330566 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6916> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:01.ipsec.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhClfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cISCQ//f9bjAzuou4wlbaoVBp+csfE8qwJl0PJAs/guwO9dO/TMLrVzJ+oNtAIR +VO6T7j2uC/eLD80PFsGoTpDAm4O1gqcGGX4OZm/6rE/OdqC3/UhhqpMYke0ZdNuh +ugUyztXZkHuvsLgoR/peW9QqAxRRABTUWL0NPQU4YvtEpa5iOOkzNYuPQ9+dltQC +SXkbGDrHgHwMHSyoZ14eRffrlwOU+bYH7tdMvDzPyr3z4NhJSTJvKBy4dohCal9F +bQRjZSqsGGZ4D0T0BW88RpD3wRBj9s23bSgbcrR8tQvtwEN897S/oL0wtbFYVOQ+ +p/ZgiVgV2JvB17m6Dnmt8+CQLEri+21l1NCF2rVMvMBUcZioiO3L43Z3dZNZfRb5 +pknuSB6q0HEF5qE1sRIlT2WwH/6rd6VASQOb0NQRTBKNVM7ZU6+Q1PN56KjPhZmw +uVREGJ6fHz/MB58fOLkyhbhvcmL7Hz1CGQwQz1Qi05Gp5T2OYP9POJyK8e/EW+Gs +hiiErWezEWpVtHHfUpbudVlqlLp/Mc8LHlVOCIhnrEWH1zhgBX2Bx/WmELUerJz/ +RjOKUdPTQwn8IVkXJfpj42IbxdCG8xvQN/NKWf01maa+Y2xLCtlg8H0I9/9zT80Q +bLdFKjj+M5ysz+bcSR4jl3pd2WMqpidXPvOjph5JcfNWDA5131I= +=Uzqo +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-18:02.ntp.asc b/share/security/advisories/FreeBSD-SA-18:02.ntp.asc new file mode 100644 index 0000000000..90cf3fb42c --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-18:02.ntp.asc @@ -0,0 +1,200 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-18:02.ntp Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities of ntp + +Category: contrib +Module: ntp +Announced: 2018-03-07 +Credits: Network Time Foundation +Affects: All supported versions of FreeBSD. +Corrected: 2018-02-28 09:01:03 UTC (stable/11, 11.1-STABLE) + 2018-03-07 05:58:24 UTC (releng/11.1, 11.1-RELEASE-p7) + 2018-03-01 04:06:49 UTC (stable/10, 10.4-STABLE) + 2018-03-07 05:58:24 UTC (releng/10.4, 10.4-RELEASE-p6) + 2018-03-07 05:58:24 UTC (releng/10.3, 10.3-RELEASE-p27) +CVE Name: CVE-2018-7182, CVE-2018-7170, CVE-2018-7184, CVE-2018-7185, + CVE-2018-7183 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) +used to synchronize the time of a computer system to a reference time +source. + +II. Problem Description + +The ctl_getitem() function is used by ntpd(8) to process incoming "mode 6" +packets. A malicious "mode 6" packet can be sent to an ntpd instance, and +if the ntpd instance is from 4.2.8p6 through 4.2.8p10, ctl_getitem() will +read past the end of its buffer. [CVE-2018-7182] + +The ntpd(8) service can be vulnerable to Sybil attacks. If a system is +configured to use a trustedkey and if one is not using the feature introduced +in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to specify +which IPs can serve time, a malicious authenticated peer, i.e., one where the +attacker knows the private symmetric key, can create arbitrarily-many +ephemeral associations in order to win the clock selection of ntpd and modify +a victim's clock. [CVE-2018-7170] + +The fix for NtpBug2952 was incomplete, and while it fixed one problem it +created another. Specifically, it drops bad packets before updating the +"received" timestamp. This means a third-party can inject a packet with +a zero-origin timestamp, meaning the sender wants to reset the association, +and the transmit timestamp in this bogus packet will be saved as the most +recent "received" timestamp. The real remote peer does not know this +value and this will disrupt the association until the association resets. +[CVE-2018-7184] + +The NTP Protocol allows for both non-authenticated and authenticated +associations, in client/server, symmetric (peer), and several broadcast +modes. In addition to the basic NTP operational modes, symmetric mode and +broadcast servers can support an interleaved mode of operation. In +ntp-4.2.8p4, a bug was inadvertently introduced into the protocol engine that +allows a non-authenticated zero-origin (reset) packet to reset an +authenticated interleaved peer association. If an attacker can send a packet +with a zero-origin timestamp and the source IP address of the "other side" of +an interleaved association, the 'victim' ntpd will reset its association. +The attacker must continue sending these packets in order to maintain the +disruption of the association. [CVE-2018-7185] + +The ntpq(8) utility is a monitoring and control program for ntpd. The +internal decodearr() function of ntpq(8) that is used to decode an array in +a response string when formatted data is being displayed. This is a problem +in affected versions of ntpq if a maliciously-altered ntpd returns an array +result that will trip this bug, or if a bad actor is able to read an ntpq(8) +request on its way to a remote ntpd server and forge and send a response +before the remote ntpd sends its response. It is potentially possible that +the malicious data could become injectable/executable code. [CVE-2017-7183] + +III. Impact + +Malicious remote attackers may be able to break time synchornization, +or cause the ntpq(8) utility to crash. + +IV. Workaround + +No workaround is available, but systems not running ntpd(8) or ntpq(8) are +not affected. Network administrators are advised to implement BCP-38 which +helps to reduce risk associated with the attacks. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +The ntpd service has to be restarted after the update. A reboot is +recommended but not required. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +The ntpd service has to be restarted after the update. A reboot is +recommended but not required. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.1] +# fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch +# fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch.asc +# gpg --verify ntp-11.1.patch.asc + +[FreeBSD 10.4] +# fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch +# fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch.asc +# gpg --verify ntp-10.4.patch.asc + +[FreeBSD 10.3] +# fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch +# fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch.asc +# gpg --verify ntp-10.3.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r330141 +releng/10.3/ r330567 +releng/10.4/ r330567 +stable/11/ r330106 +releng/11.1/ r330567 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7182> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7184> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7185> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7183> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:02.ntp.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhYNfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cL9GQ/+PLffyegsvxKngL83XWG9UuHbcGG5aWbNwCecTEzNoCI72TI03aga0ge5 +iLz5kW3SQvl8tsq778U4YbfFcCw6ifq2ws8asqNviv+u4AcJh7oD8CS3/kFuA9xM +zjAIrScdNR2taBJhBW3nwlb7RmDeKqydQ3OIxHVvs9Fj5Alc5ZEGezUjC2dueB+M +UdORg6GvHGMYQ+4AtBFRgZHAU3BFkwmgqsIICywYnUVH+AxKj34shs/pMMeJd/d9 +a+BIu/tUjAIlQp23VunNAfq7r2eZik9LOV8Y5l1Ww7+K1IwlwezxI+Iw18BMFEVn +L9baBY9RFh8v/yrZCBqUc7Prhs3ExU/lnAb05Va7TYeD4RXVmSU0jNXi/przN3y2 +PR7Z3JCm60mFKyp0/Hz2MmS1XPBVBrW4P6g9hH8TZmOHb2mZlK3zDXmil7HKp5DK +UhtMJpPEWV9k5rfP8iijHJnwkPr0ALntMUAAKUyw/6isVtHT6BZLaYsZvRYIm8YY +Mn2RUl74m+XoIhQ8R4mxRcaAHwKKXyeyP5nlAs6TQVb9QJukoRiNDr3g8TwbtT54 +iTswVu+z/a89/YIwJoc6Ud7eCZSDYe6qfuC19TVuledayjjy/ZPMH0ZkNWFWJ3AE +VAvdyvoUuNbmsv42o4AUtpE/1CmDqOjwBRZZbtV4CONCDFpk26o= +=D2ov +-----END PGP SIGNATURE----- |