The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of NTP: incorrect usage of OpenSSL EVP_VerifyFinal

Synthesis of the vulnerability 

The NTP server incorrectly uses the EVP_VerifyFinal() function of OpenSSL, which can be used by an attacker to bypass the signature check.
Impacted software: Debian, Fedora, FreeBSD, Mandriva Linux, Mandriva NF, McAfee Email and Web Security, Meinberg NTP Server, NLD, NTP.org, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SLES.
Severity of this computer vulnerability: 3/4.
Creation date: 07/01/2009.
Références of this announce: CVE-2009-0021, DSA-1702-1, FEDORA-2009-0544, FEDORA-2009-0547, FreeBSD-SA-09:03.ntpd, KB76646, MDVSA-2009:007, ocert-2008-016, RHSA-2009:0046-01, SSA:2009-014-03, SUSE-SR:2009:005, SUSE-SR:2009:008, VIGILANCE-VUL-8374.

Description of the vulnerability 

The NTP server can authenticate packets. In this case, NTP is compiled with OpenSSL.

The EVP_VerifyFinal() function returns:
 - either +1 if the signature is valid
 - either 0 if the signature is invalid
 - either -1 if an unexpected error occurred

However, instead of using:
  if (EVP_VerifyFinal(...) <= 0) error;
NTP uses:
  if (!EVP_VerifyFinal(...)) error;
Unexpected errors are thus handled as valid signatures.

An attacker can therefore setup a malicious NTP server using an invalid signature.

This vulnerability is similar to VIGILANCE-VUL-8371.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness impacts software or systems such as Debian, Fedora, FreeBSD, Mandriva Linux, Mandriva NF, McAfee Email and Web Security, Meinberg NTP Server, NLD, NTP.org, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SLES.

Our Vigil@nce team determined that the severity of this vulnerability note is important.

The trust level is of type confirmed by the editor, with an origin of internet server.

An attacker with a expert ability can exploit this cybersecurity threat.

Solutions for this threat 

NTP: version 4.2.4p6.
Version 4.2.4p6 is corrected:
  http://www.ntp.org/downloads.html

SPARC: patch for NTP.
A patch is available:
  Netra SPARC T3-1 : 147319-01
  Netra SPARC T3-1B : 147320-01
  SPARC T3-1 : 147315-01
  SPARC T3-1B : 147318-01
  SPARC T3-2 : 147316-01
  SPARC T3-4 : 147317-01

Debian: new ntp packages.
New packages are available:
  http://security.debian.org/pool/updates/main/n/ntp/*_4.2.2.p4+dfsg-2etch1_*.deb

Fedora: new ntp packages.
New packages are available:
  ntp-4.2.4p6-1.fc9
  ntp-4.2.4p6-1.fc10

FreeBSD: patch for ntpd.
A patch is available:
FreeBSD 6.4, 7.1
  fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd.patch
  fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd.patch.asc
 FreeBSD 6.3, 7.0
  fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd63.patch
  fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd63.patch.asc

Mandriva: new ntp packages.
New packages are available:
 Mandriva Linux 2008.0: ntp-4.2.4-10.1mdv2008.0
 Mandriva Linux 2008.1: ntp-4.2.4-15.1mdv2008.1
 Mandriva Linux 2009.0: ntp-4.2.4-18.1mdv2009.0
 Corporate 3.0: ntp-4.2.0-2.1.C30mdk
 Corporate 4.0: ntp-4.2.0-21.3.20060mlcs4
 Multi Network Firewall 2.0: ntp-4.2.0-2.1.C30mdk

McAfee Email and Web Security: solution for NTP.
The version 5.6 Patch 5 will be corrected.
The McAfee announce indicates workarounds.

RHEL 4, 5: new ntp packages.
New packages are available:
Red Hat Enterprise Linux version 4:
  ntp-4.2.0.a.20040617-8.el4_7.1
Red Hat Enterprise Linux version 5:
  ntp-4.2.2p1-9.el5_3.1

Slackware: new ntp packages.
New packages are available:
Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/ntp-4.2.4p6-i386-1_slack8.1.tgz
Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/ntp-4.2.4p6-i386-1_slack9.0.tgz
Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/ntp-4.2.4p6-i486-1_slack9.1.tgz
Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/ntp-4.2.4p6-i486-1_slack10.0.tgz
Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/ntp-4.2.4p6-i486-1_slack10.1.tgz
Slackware 10.2:
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/ntp-4.2.4p6-i486-1_slack10.2.tgz
Slackware 11.0:
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/ntp-4.2.4p6-i486-1_slack11.0.tgz
Slackware 12.0:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/ntp-4.2.4p6-i486-1_slack12.0.tgz
Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/ntp-4.2.4p6-i486-1_slack12.1.tgz
Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/ntp-4.2.4p6-i486-1_slack12.2.tgz

Sun SPARC: patch for NTP.
A patch is available for the firmware:
  SPARC T3-4 : 147317-01
  SPARC T3-2 : 147316-01
  SPARC T3-1B : 147318-01
  SPARC T3-1 : 147315-01
  Netra SPARC T3-1B : 147320-01
  Netra SPARC T3-1 : 147319-01
  Netra SPARC T3-1BA : 144609-07

SUSE: new dhcp, ntp/xntp, squid, wireshark, libpng, pam_mount, enscript, eID-belgium, gstreamer-0_10-plugins-good packages.
New packages are available, as indicated in information sources.

SUSE: new multipath-tools, bluez, xntp, apache-mod_php4, apache2-mod_php5, struts, qemu, libsndfile, phpMyAdmin packages.
New packages are available.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides systems vulnerabilities analysis. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.