Vous êtes ici: index » cert » avis

Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés

Date : Mon, 2 May 2016 14:43:57 +0200
Type : VULN
Sujet : CERT-Renater : 2016/VULN183 (NTP : April 2016 NTP-4.2.8p7 Security Vulnerability Announcement)
===================================================================
                                CERT-Renater

                   Note d'Information No. 2016/VULN183
_____________________________________________________________________

DATE                : 02/05/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running NTP version prior to 4.2.8p7.

======================================================================
http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security
____________________________________________________________________

NTP users are strongly urged to take immediate action to ensure that
their NTP daemons are not susceptible to being used in distributed
denial-of-service (DDoS) attacks. Please also take this opportunity
to defeat denial-of-service attacks by implementing Ingress and Egress
filtering through BCP38.

ntp-4.2.8p7 was released on 26 April 2016. It addresses 11 low- and
medium-severity security issues, 16 bugfixes, and contains other
improvements over 4.2.8p6.


Please see the NTP Security Notice for vulnerability and mitigation details.


April 2016 NTP-4.2.8p7 Security Vulnerability Announcement (Medium)


NTF's NTP Project has been notified of the following low- and
medium-severity vulnerabilities that are fixed in ntp-4.2.8p7,
released on Tuesday, 26 April 2016:

     Bug 3020 / CVE-2016-1551: Refclock impersonation vulnerability,
         AKA: refclock-peering
         Reported by Matt Street and others of Cisco ASIG
     Bug 3012 / CVE-2016-1549: Sybil vulnerability: ephemeral
         association attack, AKA: ntp-sybil - MITIGATION ONLY
         Reported by Matthew Van Gundy of Cisco ASIG
     Bug 3011 / CVE-2016-2516: Duplicate IPs on unconfig directives will
         cause an assertion botch
         Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
     Bug 3010 / CVE-2016-2517: Remote configuration
         trustedkey/requestkey values are not properly validated
         Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
     Bug 3009 / CVE-2016-2518: Crafted addpeer with hmode > 7 causes
         array wraparound with MATCH_ASSOC
         Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
     Bug 3008 / CVE-2016-2519: ctl_getitem() return value not always
         checked
         Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
     Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos
         Reported by Stephen Gray and Matthew Van Gundy of Cisco ASIG
     Bug 2978 / CVE-2016-1548: Interleave-pivot - MITIGATION ONLY
         Reported by Miroslav Lichvar of RedHat and separately by
         Jonathan Gardner of Cisco ASIG
     Bug 2952 / CVE-2015-7704: KoD fix: peer associations were broken by
         the fix for NtpBug2901, AKA: Symmetric active/passive mode is
         broken
         Reported by Michael Tatarinov, NTP Project Developer Volunteer
     Bug 2945 / Bug 2901 / CVE-2015-8138: Zero Origin Timestamp Bypass,
         AKA: Additional KoD Checks
         Reported by Jonathan Gardner of Cisco ASIG
     Bug 2879 / CVE-2016-1550: Improve NTP security against buffer
         comparison timing attacks, authdecrypt-timing, AKA:
         authdecrypt-timing
         Reported independently by Loganaden Velvindron, and Matthew
         Van Gundy and Stephen Gray of Cisco ASIG.

The following issues already listed above are "Mitigation only" and are
expected to be fully resolved in an upcoming release.

     NtpBug3012 - Sybil vulnerability: ephemeral association attack -
          MITIGATION ONLY
     NtpBug2978 - Interleave pivot - MITIGATION ONLY

The following issues were fixed in earlier releases and contain
improvements in this p7 release:

     NtpBug2936 - Skeleton Key
     NtpBug2901 - Clients that receive a KoD should validate the origin
        timestamp field

Timeline:

     160426: ntp-4.2.8p7 released.
     160418: pre-release patch availability announced to CERT.
     160418: CERT notified.
     160412: pre-release patches sent to authorized NTP Consortium
         members.
     160221: CVE numbers requested from Mitre.
     160219: Initial notification from Qihoo/360. Analysis begins.
     160214: Advance notification sent to authorized NTP Consortium
         members.
     160112: Initial notification from Cisco. Analysis begins.

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================

[An attachment of type application/pkcs7-signature was included here]