From: Harlan Stenn <stenn@ntp.org>
Date: Mon, 14 Nov 2016 06:03:36 +0000 (-0800)
Subject: Merge stenn@psp-deb1.ntp.org:ntp-stable-p9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=04f529b9d89775bdf16b3b6e6282eb3657805283;p=thirdparty%2Fntp.git

Merge stenn@psp-deb1.ntp.org:ntp-stable-p9
into  fb-x86-a.pfcs.com:/usr/home/harlan/src/ntp-stable-p9

bk: 582953b84TIUjZqy_6CEU9njr3dWHA
---

04f529b9d89775bdf16b3b6e6282eb3657805283
diff --cc NEWS
index 555098e1a,0f10de2f7..c77b5f47e
--- a/NEWS
+++ b/NEWS
@@@ -9,86 -9,120 +9,137 @@@ In addition to bug fixes and enhancemen
  following X high- and Y low-severity vulnerabilities:
  
  * Trap crash
-    Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
- X  References: Sec 3119 / CVE-2016-XXXX / VU#XXXXX
- X  Affects: ntp-4.2.8p7, and ntp-4.3.92.
- X  CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
- X  CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- X  Summary: 
- X  Mitigation:
+    Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+    References: Sec 3119 / CVE-2016-XXXX / VU#XXXXX
+    Affects: ntp-4.0.90 (21 July 1999) uo to but not including 4.2.8p9,
+        and ntp-4.3.0 up to but not including ntp-4.3.94.
+    CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
+    CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
+    Summary: 
+ 	ntpd does not enable trap service by default. If trap service
+ 	has been explicitly enabled, an attacker can send a specially
+ 	crafted packet to cause a null pointer dereference that will
+ 	crash ntpd, resulting in a denial of service. 
+    Mitigation:
          Implement BCP-38.
-         Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
+ 	Use "restrict default noquery ..." in your ntp.conf file. Only
+ 	    allow mode 6 queries from trusted networks and hosts. 
+         Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
  	    or the NTP Public Services Project Download Page
-         If you cannot upgrade from 4.2.8p7, the only other alternatives
- 	    are to patch your code or filter CRYPTO_NAK packets.
          Properly monitor your ntpd instances, and auto-restart ntpd
  	    (without -g) if it stops running. 
- X  Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
+    Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
  
  * Mode 6 information disclosure and DDoS vector
-    Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
- X  References: Sec 3118 / CVE-2016-XXXX / VU#XXXXX
- X  Affects: ntp-4.2.8p7, and ntp-4.3.92.
- X  CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
- X  CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- X  Summary: 
- X  Mitigation:
+    Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+    References: Sec 3118 / CVE-2016-XXXX / VU#XXXXX
+    Affects: ntp-4.0.90 (21 July 1999) uo to but not including 4.2.8p9,
+        and ntp-4.3.0 up to but not including ntp-4.3.94.
+    CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
+    CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+    Summary: 
+ 	An exploitable configuration modification vulnerability exists
+ 	in the control mode (mode 6) functionality of ntpd. If, against
+ 	long-standing BCP recommendations, "restrict default noquery ..."
+ 	is not specified, a specially crafted control mode packet can set
+ 	ntpd traps, providing information disclosure and DDoS
+ 	amplification, and unset ntpd traps, disabling legitimate
+ 	monitoring. A remote, unauthenticated, network attacker can
+ 	trigger this vulnerability. 
+    Mitigation:
          Implement BCP-38.
-         Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
+ 	Use "restrict default noquery ..." in your ntp.conf file.
+         Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
  	    or the NTP Public Services Project Download Page
-         If you cannot upgrade from 4.2.8p7, the only other alternatives
- 	    are to patch your code or filter CRYPTO_NAK packets.
          Properly monitor your ntpd instances, and auto-restart ntpd
  	    (without -g) if it stops running. 
- X  Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
+    Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
+ 
+ * Broadcast Mode Replay Prevention DoS
+    Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+    References: Sec 3114 / CVE-2016-7427 / VU#XXXXX
+    Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 
+ 	ntp-4.3.90 up to, but not including ntp-4.3.94.
+    CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
+    CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+    Summary: 
+ 	The broadcast mode of NTP is expected to only be used in a
+ 	trusted network. If the broadcast network is accessible to an
+ 	attacker, a potentially exploitable denial of service
+ 	vulnerability in ntpd's broadcast mode replay prevention
+ 	functionality can be abused. An attacker with access to the NTP
+ 	broadcast domain can periodically inject specially crafted
+ 	broadcast mode NTP packets into the broadcast domain which,
+ 	while being logged by ntpd, can cause ntpd to reject broadcast
+ 	mode packets from legitimate NTP broadcast servers. 
+    Mitigation:
+         Implement BCP-38.
+         Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
+ 	    or the NTP Public Services Project Download Page
+         Properly monitor your ntpd instances, and auto-restart ntpd
+ 	    (without -g) if it stops running. 
+    Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
  
 +* Broadcast Mode Replay Prevention DoS
 +   Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
 +X  References: Sec 3114 / CVE-2016-XXXX / VU#XXXXX
 +X  Affects: ntp-4.2.8p7, and ntp-4.3.92.
 +X  CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
 +X  CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 +X  Summary: 
 +X  Mitigation:
 +        Implement BCP-38.
 +        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
 +	    or the NTP Public Services Project Download Page
 +        If you cannot upgrade from 4.2.8p7, the only other alternatives
 +	    are to patch your code or filter CRYPTO_NAK packets.
 +        Properly monitor your ntpd instances, and auto-restart ntpd
 +	    (without -g) if it stops running. 
 +X  Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
 +
  * Broadcast Mode Poll Interval Enforcement DoS
-    Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
- X  References: Sec 3113 / CVE-2016-XXXX / VU#XXXXX
- X  Affects: ntp-4.2.8p7, and ntp-4.3.92.
- X  CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
- X  CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- X  Summary: 
- X  Mitigation:
+    Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+    References: Sec 3113 / CVE-2016-7428 / VU#XXXXX
+    Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
+ 	ntp-4.3.90 up to, but not including ntp-4.3.94
+    CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
+    CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+    Summary: 
+ 	The broadcast mode of NTP is expected to only be used in a
+ 	trusted network. If the broadcast network is accessible to an
+ 	attacker, a potentially exploitable denial of service
+ 	vulnerability in ntpd's broadcast mode poll interval enforcement
+ 	functionality can be abused. To limit abuse, ntpd restricts the
+ 	rate at which each broadcast association will process incoming
+ 	packets. ntpd will reject broadcast mode packets that arrive
+ 	before the poll interval specified in the preceding broadcast
+ 	packet expires. An attacker with access to the NTP broadcast
+ 	domain can send specially crafted broadcast mode NTP packets to
+ 	the broadcast domain which, while being logged by ntpd, will
+ 	cause ntpd to reject broadcast mode packets from legitimate NTP
+ 	broadcast servers. 
+    Mitigation:
          Implement BCP-38.
-         Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
+         Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
  	    or the NTP Public Services Project Download Page
-         If you cannot upgrade from 4.2.8p7, the only other alternatives
- 	    are to patch your code or filter CRYPTO_NAK packets.
          Properly monitor your ntpd instances, and auto-restart ntpd
  	    (without -g) if it stops running. 
- X  Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
+    Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
  
  * Windows: ntpd DoS by oversized UDP packet
-    Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
- X  References: Sec 3110 / CVE-2016-XXXX / VU#XXXXX
- X  Affects: ntp-4.2.8p7, and ntp-4.3.92.
- X  CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
- X  CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- X  Summary: 
- X  Mitigation:
+    Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+    References: Sec 3110 / CVE-2016-XXXX / VU#XXXXX
+    Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9,
+ 	and ntp-4.3.0 up to, but not including ntp-4.3.94. 
+    CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
+    CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+    Summary: 
+ 	If a vulnerable instance of ntpd on Windows receives a crafted
+ 	malicious packet that is "too big", ntpd will stop working. 
+    Mitigation:
          Implement BCP-38.
-         Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
+         Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
  	    or the NTP Public Services Project Download Page
-         If you cannot upgrade from 4.2.8p7, the only other alternatives
- 	    are to patch your code or filter CRYPTO_NAK packets.
          Properly monitor your ntpd instances, and auto-restart ntpd
  	    (without -g) if it stops running. 
     Credit: This weakness was discovered by Robert Pajak