717798 – (CVE-2020-11868, CVE-2020-13817) <net-misc/ntp-4.2.8_p14: Multiple vulnerabilities (CVE-2020-{11868,13817})

Bug 717798 (CVE-2020-11868, CVE-2020-13817) - <net-misc/ntp-4.2.8_p14: Multiple vulnerabilities (CVE-2020-{11868,13817})

Summary: <net-misc/ntp-4.2.8_p14: Multiple vulnerabilities (CVE-2020-{11868,13817})

Status:	RESOLVED FIXED

Alias:	CVE-2020-11868, CVE-2020-13817

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-04-17 05:10 UTC by Sam James
Modified:	2020-07-26 23:45 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2020-15025
Package list:	=net-misc/ntp-4.2.8_p14-r2
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-04-17 05:10:43 UTC

1) CVE-2020-11868 / NTP Bug 3592

"The fix for https://bugs.ntp.org/3445 introduced a bug whereby a system that is running ntp-4.2.8p12 or p13 that only has one unauthenticated time source can be attacked in a way that causes the victim's next poll to its source to be delayed, for as long as the attack is maintained."

URL: http://support.ntp.org/bin/view/Main/NtpBug3592

2) NTP Bug 3596

"A high-performance ntpd instance that gets its time from unauthenticated IPv4 time sources may be vulnerable to an off-path attacker who can query time from the victim's ntpd instance. The attacker must be able to send and the victim must be able to receive and process a large number of packets with the spoofed IPv4 address of the upstream server. After 8 or more successful attacks in a row, the attacker can either modify the victim's clock by a limited amount or cause ntpd to exit. This attack is most effective in cases where an unusually short poll interval is expressly configured on the victim's ntpd."

https://support.ntp.org/bin/view/Main/NtpBug3596

Comment 1 Sam James archtester

2020-04-17 05:11:15 UTC

@maintainer(s), please advise if ready for stabilisation or call yourself

Comment 2 Sam James archtester

2020-05-02 16:39:11 UTC

acked by Polynomial-C, thanks!

Comment 3 Agostino Sarubbo gentoo-dev

2020-05-03 10:02:32 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2020-05-03 10:13:10 UTC

arm stable

Comment 5 Agostino Sarubbo gentoo-dev

2020-05-03 10:22:41 UTC

s390 stable

Comment 6 Agostino Sarubbo gentoo-dev

2020-05-03 10:25:48 UTC

sparc stable

Comment 7 Sam James archtester

2020-05-04 06:22:39 UTC

arm64 stable

Comment 8 Rolf Eike Beer archtester

2020-05-07 19:49:07 UTC

hppa stable

Comment 9 Agostino Sarubbo gentoo-dev

2020-05-11 16:50:43 UTC

x86 stable

Comment 10 Agostino Sarubbo gentoo-dev

2020-05-13 17:12:56 UTC

ppc stable

Comment 11 Agostino Sarubbo gentoo-dev

2020-05-13 17:14:51 UTC

ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 12 Sam James archtester

2020-06-20 02:14:07 UTC

ping

Comment 13 Larry the Git Cow gentoo-dev

2020-06-23 16:16:38 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fbdf99fc6dd829214056d1333d7ec34bf8da89e7

commit fbdf99fc6dd829214056d1333d7ec34bf8da89e7
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-23 16:16:22 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-23 16:16:33 +0000

    net-misc/ntp: Removed old
    
    Bug: https://bugs.gentoo.org/717798
    Package-Manager: Portage-2.3.102, Repoman-2.3.23
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-misc/ntp/Manifest                       |   2 -
 net-misc/ntp/files/ntp-4.2.8-gc-tests.patch |  41 --------
 net-misc/ntp/ntp-4.2.8_p13-r2.ebuild        | 144 ----------------------------
 net-misc/ntp/ntp-4.2.8_p13.ebuild           | 144 ----------------------------
 4 files changed, 331 deletions(-)

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2020-07-26 23:45:01 UTC

This issue was resolved and addressed in
 GLSA 202007-12 at https://security.gentoo.org/glsa/202007-12
by GLSA coordinator Sam James (sam_c).