000033213 - RSA Authentication Manager 8.x Security Vulnerabilities for NTPD - False Positive

Document created by RSA Customer Support Employee on Jun 14, 2016
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000033213
Applies ToRSA Product Set: RSA Authentication Manager
RSA Version/Condition: 8.x
CVE IDCVE-2015-7704, CVE-2016-1547, CVE-2016-1549, CVE-2016-1550, CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518, CVE-2016-2519
Article SummaryInformation requested by RSA Customer Support regarding the impact of certain vulnerabilities announced by the ntp.org open source development group in April 2016.
The reported vulnerabilities discussed are:
CVE-2015-7704: KoD fix: peer associations were broken by the fix for NtpBug2901, AKA: Symmetric active/passive mode is broken
- CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos
- CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY
- CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timi-ng
- CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering
- CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch
- CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated
- CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
- CVE-2016-2519: ctl_getitem() return value not always checked
Additional information is available at ntp.org.
 
Link to Advisories
http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7704
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1547
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1549
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1550
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1551
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2516
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2517
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2518
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2519
 
Alert ImpactNot Exploitable
Technical DetailsThe flaw exists but it is not exploitable
Technical Details Explanation

Information is from http://support.ntp.org/bin/view/Main/SecurityNotice


CVE-2016-1551

NTP Bug 3020 Refclock impersonation vulnerability

  • Affects: On a very limited number of OSes, all NTP releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.92. By "very limited number of OSes" we mean no general-purpose OSes have yet been identified that have this vulnerability.
  • Summary: While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock.
  • CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
    Response: The flaw exists but is not exploitable.

Impacts network time servers. The AM appliance is a client not a time server.


CVE-2016-1549

NTP Bug 3012 Sybil vulnerability: ephemeral association attack

  • Summary: ntpd can be vulnerable to Sybil attacks. If a system is set up to use a trustedkey and if one is not using the feature introduced in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to specify which IPs can serve time, a malicious authenticated peer – i.e. one where the attacker knows the private symmetric key – can create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock.
  • CVSS3: MED 5.3 - (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)

Response: The flaw exists but is not exploitable.

Impacts network time servers. The AM appliance is a client not a time server.


CVE-2016-2516

NTP Bug 3011 Duplicate IPs on unconfig directives will cause an assertion botch in ntpd

  • Summary: If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and if an existing association is unconfigured using the same IP twice on the unconfig directive line, ntpd will abort.
  • CVSS3: MED 4.2 (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H)

Response: The flaw exists but is not exploitable.

While the ntpdc command is available locally, the exploit requires that ntpd be “expressly configured to allow for remote configuration” and it is not.


CVE-2016-2517

NTP Bug 3010 remote configuration trustedkey/requestkey/controlkey values are not properly validated

  • Summary: If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted.
  • CVSS3: MED 4.2 (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H)

Response: The flaw exists but is not exploitable.

While the ntpdc command is available locally, the exploit requires that ntpd be “expressly configured to allow for remote configuration” and it is not.


CVE-2016-2518

NTP Bug 3009 Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC

  • Summary: Using a crafted packet to create a peer association with hmode > 7 causes the MATCH_ASSOC() lookup to make an out-of-bounds reference.
  • CVSS3: LOW 2.0 (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L)

Response: The flaw exists but is not exploitable.

Impacts network time servers. The AM appliance is a client not a time server.


CVE-2016-2519

NTP Bug 3008 ctl_getitem() return value not always checked

  • Summary: ntpq and ntpdc can be used to store and retrieve information in ntpd. It is possible to store a data value that is larger than the size of the buffer that the ctl_getitem() function of ntpd uses to report the return value. If the length of the requested data value returned by ctl_getitem() is too large, the value NULL is returned instead. There are 2 cases where the return value from ctl_getitem() was not directly checked to make sure it's not NULL, but there are subsequent INSIST() checks that make sure the return value is not NULL. There are no data values ordinarily stored in ntpd that would exceed this buffer length. But if one has permission to store values and one stores a value that is "too large", then ntpd will abort if an attempt is made to read that oversized value.
  • CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

Response: The flaw exists but does not add an additional security risk

While the vulnerability claims that it is exploitable from a network, in AM, NTPD is not setup to allow network configuration, so this would need to be a local attack. The commands exist locally and could be run by the appliance administrator (who is a privileged user and the only user who can log in to the AM appliance). Apparently, if this an administrator could store certain value in ntpd via one of the admin commands and then get the NTPD server to access the value, the NTPD server could abort. (Note that these commands are not supported for use on the appliance which performs NTPD admin via the operations console).


CVE-2016-1547

NTP Bug 3007 CRYPTO-NAK DoS

  • Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an off-path attacker can cause a preemptible client association to be demobilized by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled.

Furthermore, if the attacker keeps sending crypto NAK packets, for example one every second, the victim never has a chance to re-establish the association and synchronize time with that legitimate server.

  • CVSS3: LOW 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Response: The flaw exists but is not exploitable.

The AM appliance is a client but not configured as a preemptible client.


CVE-2015-7704

NTP Bug 2952 Original fix for NTP Bug 2901 broke peer associations

  • Summary: The fix for NtpBug2901 in ntp-4.2.8p4 went too far, breaking peer associations.

Response: The flaw exists but is not exploitable.

Impacts network time servers. The AM appliance is a client not a time server.


CVE-2016-1550

NTP Bug 2879 Improve NTP security against buffer comparison timing attacks

  • Summary: Packet authentication tests have been performed using memcmp() or possibly bcmp(), and it is potentially possible for a local or perhaps LAN-based attacker to send a packet with an authentication payload and indirectly observe how much of the digest has matched.
  • CVSS3: MED 4.0 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

Response: The flaw exists but is not exploitable.

Impacts network time servers. The AM appliance is a client not a time server.


 

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, EMC Corporation, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes