Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 296350

Summary: net-misc/ntp-4.2.4.p7: DoS with mode 7 packets (CVE-2009-3563)
Product: Gentoo Security Reporter: cilly <cilly>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: critical CC: bernd, jaak, josh
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://support.ntp.org/bugs/show_bug.cgi?id=1331
Whiteboard:
Package list:
Runtime testing required: ---

Description cilly 2009-12-09 22:28:12 UTC 
NTP mode 7 denial-of-service vulnerability

Overview

NTP contains a vulnerability in the handling of mode 7 requests, which can result in a denial-of-service condition.
I. Description

NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 request or a mode 7 error response from an address that is not listed in a "restrict ... noquery" or "restrict ... ignore" segment, ntpd will reply with a mode 7 error response and log a message.
If an attacker spoofs the source address of ntpd host A in a mode 7 response packet sent to ntpd host B, both A and B will continuously send each other error responses, for as long as those packets get through.

If an attacker spoofs an address of ntpd host A in a mode 7 response packet sent to ntpd host A, then host A will respond to itself endlessly, consuming CPU and logging excessively.

II. Impact

A remote, unauthenticated attacker may be able to cause a denial-of-service condition on a vulnerable NTP server.
III. Solution

Apply an update
This issue is addressed in NTP 4.2.4p8. Please check with your vendor for an update, or you may download NTP 4.2.4p8 from ntp.org.

Configure NTP to limit source addresses

By using "restrict ... noquery" or "restrict ... ignore" entries in the ntp.conf file, ntpd can be configured to limit the source addresses to which it will respond.

Filter NTP mode 7 packets that specify source and destination port 123

In most cases, ntpdc mode 7 requests will have either a source or destination port of 123, but not both.

Use anti-spoofing IP address filters

RFC 2827 (BCP 38) describes network ingress filtering, which can prevent UDP traffic claiming to be from a local address from entering your network from an outside source. Some ISPs may employ unicast reverse path filtering (uRPF) to limit the spoofed traffic that can enter your network.



The fix for this problem is in 4.2.4p8 and 4.2.6.
Comment 1 Christian Faulhammer (RETIRED) gentoo-dev 2009-12-09 22:35:44 UTC 

*** This bug has been marked as a duplicate of bug 290881 ***
Comment 2 cilly 2009-12-10 09:27:21 UTC 
Can't see duplicate bug. Btw, it is public at secunia and other security sites, so no reason to hide.

http://secunia.com/advisories/37629/

Pls, fix.

Urgent
Comment 3 Bernd Marienfeldt 2009-12-10 11:08:12 UTC 
http://www.kb.cert.org/vuls/id/MAPG-7X7V8Z
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-10 11:37:51 UTC 

*** This bug has been marked as a duplicate of bug 290881 ***