(uncommon) conditions; if:
- remote configuration of ntpd is enabled (it's disabled by default),
- and an attacker knows the remote configuration password,
- and has access to a computer that is allowed to send remote configuration
requests to ntpd,
the attacker can send a carefully-crafted packet to ntpd that will cause ntpd
to crash.
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
CVE-2015-1798 "When ntpd is configured to use a symmetric key to authenticate a
remote NTP server/peer, it checks if the NTP message authentication code (MAC)
in received packets is valid, but not if there actually is any MAC included."
CVE-2015-1799 "An attacker knowing that NTP hosts A and B are peering with each
other (symmetric association) can send a packet to host A with source address
of B which will set the NTP state variables on A to the values sent by the
attacker. Host A will then send on its next poll to B a packet with originate
timestamp that doesn't match the transmit timestamp of B and the packet will be
dropped. If the attacker does this periodically for both hosts, they won't be
able to synchronize to each other."
- Weak default key in config_auth() - CVE-2014-9293
- non-cryptographic random number generator with weak seed used by
ntp-keygen to generate symmetric keys - CVE-2014-9294
- Buffer overflow in crypto_recv() - CVE-2014-9295
- Buffer overflow in ctl_putdata() - CVE-2014-9295
- Buffer overflow in configure() - CVE-2014-9295
- receive(): missing return on error - CVE-2014-9296
ok naddy@
the base system's openntpd.
Update removes a reflected unauthenticated DoS attack vector that has
been hit a lot in the wild recently, see http://www.openntpproject.org/
UDP traffic amplification 19x.
This is a devel version from upstream, they have decided not to fix it in
the stable branch. Users running older versions should add "disable monitor"
to their config and restart, then verify that "monlist" in ntpdc does not
return a list.
ok aja@, missing build dep spotted by naddy
* check return of RAND_file_name better; allows ntp-genkeys to continue
if a seed file is not found.
* regen configure patch
* quote package comments
* files/md5 -> distinfo
