Wind River Security Alert for Wind River Linux several critical NTP vulnerabilities (CVE-2014-9293,CVE-2014-9294,CVE-2014-9295,CVE-2014-9296)
Wind River Security Alert for Wind River Linux several critical NTP vulnerabilities (CVE-2014-9293,CVE-2014-9294,CVE-2014-9295,CVE-2014-9296)
This alert confirms that the following Wind River Linux releases ARE SUSCEPTIBLE to the several critical NTP vulnerabilities (CVE-2014-9293 -- CVE-2014-9296). The vulnerabilities affect Wind River Linux 2.0.x/3.0.x/4.3.0.x/5.0.1.x/6.0.0.x/7.0.0.x.
Wind River is committed to delivering secure, reliable products and offerings. As part of this commitment, the Wind River Linux Security Response Team is engaged in constant and active threat monitoring, rapid assessment and threat prioritization, response and proactive customer contact, and expedited remediation.
Wind River is closely monitoring the dynamic situation resulting from this issue and will provide additional information (and fixes as required) as the situation changes.
Vulnerabilities description:
=========================
The Network Time Protocol (NTP) provides networked systems with a way to synchronize time for various services and applications. The reference implementation produced by the NTP Project (ntp.org) contains several vulnerabilities.
CWE-332: Insufficient Entropy in PRNG - CVE-2014-9293
If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated.
CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) - CVE-2014-9294
ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys.
CWE-121: Stack Buffer Overflow - CVE-2014-9295
A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process.
CWE-389: Error Conditions, Return Values, Status Codes - CVE-2014-9296
A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker.
The NTP Project provides more information about these issues in their security advisory.
The NTP Project implementation is widely used in operating system distributions and network products. These vulnerabilities affect ntpd acting as a server or client. CERT/CC is not aware of any public exploit of these vulnerabilities at this time.
The CVSS score below is based on the buffer overflow vulnerabilities (CVE-2014-9295).
Solution:
=========
Download and apply the patches for eatch WRLinux versions. We will merge the patches into WRLinux 4.3.0.28/5.0.1.22/6.0.0.16/7.0.0.1 .
Apply the patch for Wind River Linux 4.3.0.x
1) Update 4.3 RCPL 27
2) Apply the patches
$cd /product/wrlinux-4/layers/updates/RCPL-4.3-WRL.0027/wrll-userspace/networking
$patch -p1 < 0001-ntp-CVE-2014-9296-WRL4.3.patch
$patch -p1 < 0002-ntp-CVE-2014-9293-WRL4.3.patch
$patch -p1 < 0003-ntp-CVE-2014-9294-WRL4.3.patch
$patch -p1 < 0004-ntp-CVE-2014-9295-WRL4.3.patch
Apply the patch for Wind River Linux 5.0.1.x
1) Updating 5.0.1.21
2) Configure project with .. --with-rcpl-version=0021
3) Apply the patches
$cd project/layers/meta-networking
$patch -p1 < 0001-ntp-CVE-2014-9296-WRL5.0.1.patch
$patch -p1 < 0002-ntp-CVE-2014-9293-WRL5.0.1.patch
$patch -p1 < 0003-ntp-CVE-2014-9294-WRL5.0.1.patch
$patch -p1 < 0004-ntp-CVE-2014-9295-WRL5.0.1.patch
Apply the patch for Wind River Linux 6.0.0.x
1) Updating 6.0.0.15
2) Configure project with .. --with-rcpl-version=0015
3) Apply the patches
$cd project/layers/meta-networking
$patch -p1 < 0001-ntp-CVE-2014-9296-WRL6.0.patch
$patch -p1 < 0002-ntp-CVE-2014-9293-WRL6.0.patch
$patch -p1 < 0003-ntp-CVE-2014-9294-WRL6.0.patch
$patch -p1 < 0004-ntp-CVE-2014-9295-WRL6.0.patch
Apply the patch for Wind River Linux 7.0.0.x
1) Install 7.0
2) Configure project
3) Apply the patches
$cd project/layers/meta-networking
$patch -p1 < 0001-ntp-CVE-2014-9296-WRL7.0.patch
$patch -p1 < 0002-ntp-CVE-2014-9293-WRL7.0.patch
$patch -p1 < 0003-ntp-CVE-2014-9294-WRL7.0.patch
$patch -p1 < 0004-ntp-CVE-2014-9295-WRL7.0.patch
The 2.0.x/3.0.x are End of Life (EOL), please contact Wind River Support at +1-800-872-4977 or your local Wind River representative for the Wind River Linux 2.0.x/3.0.x fix.