News from 2015-03-06


Meinberg Security Advisory: [MBGSA-1501] NTP, OpenSSL and GLIBC Vulnerabilities


The Public NTP Services Project (www.ntp.org) announced recently that the current versions of the reference implementation of NTP contain a number of security related bugs that affect all NTP 4.x versions.

The OpenSSL project released OpenSSL Version 0.9.8ze to address a number of vulnerabilities.

In addition, Qualsys and others released security advisories regarding a vulnerability in the GNU C library (glibc) and another vulnerability in glibc was published on Feb 24, 2015 by US-CERT.


CVE-IDs:

[NTP]: CVE-2014-9293 CVE-2014-9297 CVE-2014-9298
[GLIBC]: CVE-2014-9402 CVE-2015-0235
[OPENSSL]: CVE-2014-3571 CVE-2014-3569 CVE-2014-3572 CVE-2015-0204 CVE-2014-8275 CVE-2014-3570
(at the time this MBGSA was published, some of the above listed CVEs were not yet available from MITRE or NVD)

1. Description of the Problem

The version of the reference implementation of NTP and the GNU C library glibc installed on LANTIME firmware appliances contains several bugs that can cause security vulnerabilities. In addition to this, the OpenSSL project announced that a number of vulnerabilities have been identified in the OpenSSL library and utilities.

While most NTP vulnerabilities have already been fixed in current versions of the Meinberg LANTIME firmware, two new ones (CVE 2014-9298 and 2014-9297) have been published just recently and the NTP public services project announced that they are fixed in the lastest NTP version 4.2.8p1. Most of these reported issues are only affecting systems which have the so-called Autokey feature enabled. Due to the fact that Autokey has been found to have structural security flaws and therefore is not considered a secure way of providing NTP services, Meinberg recommends to not enable this feature if possible.

Another vulnerability concerns spoofing of IPv6 NTP packets with source address ::1, allowing attackers to bypass access restrictions set up for other addresses.

The glibc vulnerability affecting the "__nss_hostname_digits_dots" function of the library allows attackers to execute arbitrary code under certain circumstances. This vulnerability has been dubbed "GHOST" and the corresponding CVE 2015-0235 was released on Jan 28, 2015.

On Feb 24, 2015 another CVE concerning glibc has been published. The vulnerability described in this CVE is caused by the "getanswer_r" library function and can cause a denial of service by forcing the software into a so-called infinite loop.

2. Affected Systems

All LANTIME Firmware Versions before V6.16.008 and all Firmware Versions from 6.17.001 and 6.17.005 are affected by these vulnerabilities.

All NTP V4.x Versions before 4.2.8p1 are affected by the NTP related vulnerabilities according to the information we received from the maintainers of NTP.

3. Possible Defense Strategies

Meinberg Products

The fixes for all mentioned vulnerabilites have been backported by Meinberg and, for the 6.16 firmware revision, are included in 6.16.008 which is available as of today. For 6.17 systems the fixes are included in 6.17.006 which will be released on March 13, 2015.

Meinberg LANTIME Firmware Updates

In order to protect LANTIME systems that cannot be updated to V6.16.008, we recommend to disable Autokey using the Web UI of your LANTIME systems and to setup firewall protection to avoid/limit the access from untrusted networks. Please note that the Autokey feature is disabled by default and therefore only needs to be disabled again if it had been actively enabled.

We did not identify an attack vector for the glibc vulnerabilities other than triggering the use of the get_host_by_name function from a CLI shell. Access to such a CLI shell is only possible for Super User accounts for which the practical use of exploiting the vulnerability is non-existent. Backporting fixes for these vulnerabilities has been done as a precaution.

Other NTP Installations

If updating your NTP installation to 4.2.8p1 or a patched version provided by your OS vendor is not possible, you can disable Autokey if it is enabled in your configuration by removing, or commenting out all configuration directives starting with the crypto keyword in your ntp.conf file.

In order to be protected against source address spoofing for IPv6 packets, you can add a firewall rule to your OS that drops all packets with source address ::1 that enter the system from any interface, except for the local interface (e.g. 'lo' in most Linux systems). Some OS vendors might already offer a security patch for this.

NOTE: To find out more about the meaning of the configuration statements used in this article, please refer to http://doc.ntp.org for further explanation. The configuration examples provided here should work with all ntpd versions from 4.2.0 to 4.2.8 with the obvious limitation that the IPv6 related configuration lines only work with versions that support IPv6.

4. Additional Information Sources

More about this topic can be found on the following websites:

Security Notice of the NTP Public Services Project
Vulnerability Note for NTP published by the National Vulnerability Database
Vulnerability Note for GLIBC published by the National Vulnerability Database
Security Advisory published by the OpenSSL Project

Please do not hesitate to reach out to your Meinberg support contact if you need further assistance or have additional questions.


Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact