NTP mode 7 denial-of-service vulnerability

2009-12-08T00:00:00
ID VU:568372
Type cert
Reporter CERT
Modified 2011-07-22T00:00:00

Description

Overview

NTP contains a vulnerability in the handling of mode 7 requests, which can result in a denial-of-service condition.

Description

NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 request or a mode 7 error response from an address that is not listed in a "restrict ... noquery" or "restrict ... ignore" segment, ntpd will reply with a mode 7 error response and log a message.

If an attacker spoofs the source address of ntpd host A in a mode 7 response packet sent to ntpd host B, both A and B will continuously send each other error responses, for as long as those packets get through.

If an attacker spoofs an address of ntpd host A in a mode 7 response packet sent to ntpd host A, then host A will respond to itself endlessly, consuming CPU and logging excessively.


Impact

A remote, unauthenticated attacker may be able to cause a denial-of-service condition on a vulnerable NTP server.


Solution

Apply an update
This issue is addressed in NTP 4.2.4p8. Please check with your vendor for an update, or you may download NTP 4.2.4p8 from ntp.org.


Configure NTP to limit source addresses

By using "restrict ... noquery" or "restrict ... ignore" entries in the ntp.conf file, ntpd can be configured to limit the source addresses to which it will respond.

Filter NTP mode 7 packets that specify source and destination port 123

In most cases, ntpdc mode 7 requests will have either a source or destination port of 123, but not both.

Use anti-spoofing IP address filters

RFC 2827 (BCP 38) describes network ingress filtering, which can prevent UDP traffic claiming to be from a local address from entering your network from an outside source. Some ISPs may employ unicast reverse path filtering (uRPF) to limit the spoofed traffic that can enter your network.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Apple Inc.| | 26 Oct 2009| 27 Oct 2009
Cisco Systems, Inc.| | 26 Oct 2009| 13 Dec 2009
Debian GNU/Linux| | 26 Oct 2009| 08 Dec 2009
Gentoo Linux| | 26 Oct 2009| 10 Dec 2009
Meinberg Funkuhren GmbH & Co. KG| | -| 16 Dec 2009
QNX Software Systems Inc.| | 26 Oct 2009| 07 Dec 2009
Red Hat, Inc.| | 26 Oct 2009| 08 Dec 2009
Sun Microsystems, Inc.| | 26 Oct 2009| 22 Jan 2010
The SCO Group| | 26 Oct 2009| 29 Oct 2009
Ubuntu| | 26 Oct 2009| 09 Dec 2009
Computer Associates| | 26 Oct 2009| 27 Apr 2010
Extreme Networks| | 26 Oct 2009| 03 Feb 2010
Force10 Networks, Inc.| | 26 Oct 2009| 22 Jul 2011
Microsoft Corporation| | 26 Oct 2009| 05 Apr 2010
PePLink| | 26 Oct 2009| 04 Dec 2009
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <https://support.ntp.org/bugs/show_bug.cgi?id=1331>
  • <http://tools.ietf.org/html/rfc2827>
  • <http://tools.ietf.org/html/rfc3704>
  • <http://www.ntp.org/downloads.html>
  • <http://www.ubuntu.com/usn/USN-867-1>
  • <http://security-tracker.debian.org/tracker/CVE-2009-3563>
  • <http://tools.cisco.com/security/center/viewAlert.x?alertId=19540>

Credit

Thanks to Harlan Stenn for reporting this vulnerability.

This document was written by Will Dormann, based on information provided by Harlan Stenn.

Other Information

  • CVE IDs: CVE-2009-3563
  • Date Public: 08 Dec 2009
  • Date First Published: 08 Dec 2009
  • Date Last Updated: 22 Jul 2011
  • Document Revision: 31