[Sec-cert] [Sun] Schwachstellen im NTP Daemon vor Version 4.2.4p8 - Sun Alert 275590

WiN Site Security Contacts win-sec-ssc at lists.dfn-cert.de
Fr Jan 15 14:08:30 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Sun Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.


NTP Mode 7 (MODE_PRIVATE) Pakete werden vom ntpdc Programm verwendet
(ntpq benutzt Mode 6 (MODE_CONTROL)).


CVE-2009-3563 - Fehlerhafte Reaktion auf Mode 7 Pakete durch ntpd

  Der NTP Daemon (ntpd) beantwortet ein fehlerhaftes Mode 7 Paket
  seinerseits mit einer Mode 7 Fehlermeldung an den Absender. Durch
  Spoofen der IP-Adresse kann ein Angreifer ueber das Netz zwei NTP
  Daemons dazu bringen, sich staendig neue Mode 7 Pakete zuzusenden. Dies
  fuehrt zum Verbrauch von Netzwerkbandbreite und CPU-Zeit durch Logging
  von Meldungen auf den betroffenen Systemen und kann zu einem Denial of
  Service Angriff missbraucht werden.

Betroffen sind die folgenden Software Pakete und Plattformen:

  ntpd(1M)
  xntpd(1M)

  SPARC Plattform
  * Solaris 8
  * Solaris 9 ohne Interim Fix IDR143831-01
  * Solaris 10 ohne Interim Fix IDR143833-01 (xntpd) und IDR143834-01 (ntpd)
  * OpenSolaris basierend auf den Builds snv_01 oder neuer
  
  x86 Plattform
  * Solaris 8
  * Solaris 9 ohne Interim Fix IDR143832-01
  * Solaris 10 ohne Interim FixIDR143834-01 (xntpd) and IDR143836-01 (ntpd)
  * OpenSolaris basierend auf den Builds snv_01 oder neuer

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  http://sunsolve.sun.com/search/document.do?assetkey=1-66-275590-1


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
		Klaus Moeller, DFN-CERT

- -- 
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

17. DFN Workshop    "Sicherheit in vernetzten Systemen"    09./10.02.2010
Informationen unter https://www.dfn-cert.de/veranstaltungen/workshop.html

Alert URL: http://sunsolve.sun.com/search/document.do?assetkey=1-66-275590-1
Sun Security Alert: 275590

   A Security Vulnerability in the ntp Daemon (xntpd(1M)) May Lead to a
   Denial of the Solaris Network Time Protocol(NTP) Service
    __________________________________________________________________

   Category : Security
   Release Phase : Workaround
   Bug Id : 6902029
   Product : Solaris 8 Operating System
   Solaris 9 Operating System
   Solaris 10 Operating System
   OpenSolaris
   Date of Workaround Release : 13-Jan-2010
A Security Vulnerability in the ntp Daemon (xntpd(1M))  ...

1. Impact

   A Security Vulnerability in the ntp Daemon (xntpd(1M)) associated with
   the handling
   of NTP mode 7 (MODE_PRIVATE), may lead to consumption of CPU and
   excessive
   logging resulting in a denial of the Solaris Network Time Protocol(NTP)
   Service.
   This issue is also described in the following documents:
    CVE-2009-3563 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-35
63
    US-CERT Vulnerability Note VU#568372 at http://www.kb.cert.org/vuls/id/5683
72

2. Contributing Factors

   This issue can occur in the following releases:
   SPARC Platform
     * Solaris 8
     * Solaris 9
     * Solaris 10
     * OpenSolaris based upon builds snv_01 or later

   x86 Platform
     * Solaris 8
     * Solaris 9
     * Solaris 10
     * OpenSolaris based upon builds snv_01 or later

   Note: Only systems running as an NTP server are impacted by this issue.
   To determine if a system is acting as an NTP server, execute the
   following command:
         $ netstat -an | grep 123
        *.123           Idle
        127.0.0.1.123   Idle

   If the output of the command contains the above two lines, then the
   system is running an NTP server.

   Note: OpenSolaris distributions may include additional bug fixes above
   and beyond the build from
   which it was derived.  The base build can be derived as follows:
            $ uname -v
            snv_101

   Note: Solaris 8 entered EOSL Phase 2 on 1 April 2009. Entitlement to
   patches developed
   on or after 1 April 2009 requires the purchase of the Solaris 8 Vintage
   Patch Service.
   See Note in section 5 for more details.

3. Symptoms

   If this issue occurs, then the ntpd or xntpd process will use an
   abnormal amount of system cycles.
   Also, an excessive number of MODE 7 NTP packets will be seen on the
   network.

4. Workaround:

   To avoid being vulnerable to this issue until patches can be employed,
   add the following line to the /etc/inet/ntp.conf file:
        restrict default noquery

   And then restart the NTP process.
For OpenSolaris and Solaris 10 prior to Update 8, do the following:
        $ svcadm restart svc:/network/ntp:default
For Solaris 10 update 8 and later, do the following:
        $ svcs -a | grep ntp

   The above command will show one NTP service enabled. Use the FMRI from
   the enabled
   service to restart. This will be either svc:/network/ntp:default or
   svc:/network/ntp4:default
        $ svcadm restart svc:/network/ntp:default
or
        $ svcadm restart svc:/network/ntp4:default
For Solaris 9 and earlier, do the following:
        $ cd /etc/init.d
        $ sh xntpd stop
        $ sh xntpd start

   This workaround will prevent the the NTP server from responding to any
   mode 6 or
   mode 7 packets. These are the types of packets used by the ntpq, ntpq4,
   xntpdc and
   ntpdc programs, so these programs will no longer be able to contact the
   NTP server.

   You can allow these programs to work from individual systems by adding
   a restrict
   line to the ntp.conf file that allows that system again. Using its IP
   address, add a line like this:
        restrict <ip-addr-of-system>

   Then restart the NTP service as described above.

   Be aware that if the system you are allowing is itself an NTP server,
   you will defeat
   the workaround and again be vulnerable.

   Interim Security Relief (ISR) is available from
   http://sunsolve.sun.com/tpatches for the following releases:
   SPARC Platform
     * Solaris 9 IDR143831-01
     * Solaris 10 IDR143833-01 (xntpd) and IDR143834-01 (ntpd)

   x86 Platform
     * Solaris 9 IDR143832-01
     * Solaris 10 IDR143834-01 (xntpd) and IDR143836-01 (ntpd)

   Interim Security Relief (ISR) is available via the normal support
   channels for OpenSolaris.

   Interim Security Relief (ISR) for the Solaris 8 OS is available via
   normal support
   channels for customers who have purchased the Solaris 8 Vintage Patch
   Service
   (see Note in section 5).

   Note: This document refers to one or more Interim Security Relief
   (ISRs) which
   are designed to address the concerns identified herein. Sun has limited
   experience
   with these (ISRs) due to their interim nature. As such, you should only
   install
   the ISRs on systems meeting the configurations described above. Sun may
   release
   full patches at a later date, however, Sun is under no obligation
   whatsoever to
   create, release, or distribute any such patch.

5. Resolution

   A final resolution is pending completion.

   Note: The READMEs of Solaris 8 patches developed on or after 1 April
   2009 are
   available to all customers however Solaris 8 entered EOSL Phase 2 on
   April 1, 2009
   and thus entitlement for these patches, including those that fix
   security vulnerabilities,
   requires the purchase of the Solaris 8 Vintage Patch Service. More
   information
   about the Solaris 8 Vintage Patch Service is available at:

   http://www.sun.com/service/eosl/Solaris8.html

   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
   ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
   OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
   Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.
   Copyright 2000-2010 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.
   Attachments
This solution has no attachment



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFLUGjOWmhIvjFb90URAvp3AKCGNziqBWOPe8cEnX/C0nl0CfQSugCfUON3
HMdjmGp72w2cPYV6pqlBCOU=
=9Jm0
-----END PGP SIGNATURE-----



Mehr Informationen über die Mailingliste Sec-cert