NTP contains a vulnerability in the handling of mode 7 requests, which can result in a denial-of-service condition.
NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 request or a mode 7 error response from an address that is not listed in a "
restrict ... noquery" or "
restrict ... ignore" segment, ntpd will reply with a mode 7 error response and log a message.
If an attacker spoofs the source address of ntpd host A in a mode 7 response packet sent to ntpd host B, both A and B will continuously send each other error responses, for as long as those packets get through.
If an attacker spoofs an address of ntpd host A in a mode 7 response packet sent to ntpd host A, then host A will respond to itself endlessly, consuming CPU and logging excessively.
A remote, unauthenticated attacker may be able to cause a denial-of-service condition on a vulnerable NTP server.
Apply an update
This issue is addressed in NTP 4.2.4p8. Please check with your vendor for an update, or you may download NTP 4.2.4p8 from ntp.org.
Configure NTP to limit source addresses
By using "
restrict ... noquery" or "
restrict ... ignore" entries in the
ntp.conf file, ntpd can be configured to limit the source addresses to which it will respond.
Filter NTP mode 7 packets that specify source and destination port 123
In most cases, ntpdc mode 7 requests will have either a source or destination port of 123, but not both.
Use anti-spoofing IP address filters
RFC 2827 (BCP 38) describes network ingress filtering, which can prevent UDP traffic claiming to be from a local address from entering your network from an outside source. Some ISPs may employ unicast reverse path filtering (uRPF) to limit the spoofed traffic that can enter your network.
Vendor| Status| Date Notified| Date Updated
Apple Inc.| | 26 Oct 2009| 27 Oct 2009
Cisco Systems, Inc.| | 26 Oct 2009| 13 Dec 2009
Debian GNU/Linux| | 26 Oct 2009| 08 Dec 2009
Gentoo Linux| | 26 Oct 2009| 10 Dec 2009
Meinberg Funkuhren GmbH & Co. KG| | -| 16 Dec 2009
QNX Software Systems Inc.| | 26 Oct 2009| 07 Dec 2009
Red Hat, Inc.| | 26 Oct 2009| 08 Dec 2009
Sun Microsystems, Inc.| | 26 Oct 2009| 22 Jan 2010
The SCO Group| | 26 Oct 2009| 29 Oct 2009
Ubuntu| | 26 Oct 2009| 09 Dec 2009
Computer Associates| | 26 Oct 2009| 27 Apr 2010
Extreme Networks| | 26 Oct 2009| 03 Feb 2010
Force10 Networks, Inc.| | 26 Oct 2009| 22 Jul 2011
Microsoft Corporation| | 26 Oct 2009| 05 Apr 2010
PePLink| | 26 Oct 2009| 04 Dec 2009
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
Thanks to Harlan Stenn for reporting this vulnerability.
This document was written by Will Dormann, based on information provided by Harlan Stenn.