Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 290881 (CVE-2009-3563) - <net-misc/ntp-4.2.4_p7-r1 Mode 7 message loop Denial of service (CVE-2009-3563)
Summary: <net-misc/ntp-4.2.4_p7-r1 Mode 7 message loop Denial of service (CVE-2009-3563)
Alias: CVE-2009-3563
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
: 296350 (view as bug list)
Depends on:
Reported: 2009-10-28 13:56 UTC by Robert Buchholz (RETIRED)
Modified: 2010-02-14 23:42 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

ntp-4.2.4_p7-CVE-2009-3563.patch (ntp-4.2.4_p7-CVE-2009-3563.patch,1.71 KB, patch)
2009-10-28 13:58 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
ntp-4.2.4_p7-r1.ebuild (ntp-4.2.4_p7-r1.ebuild,3.69 KB, text/plain)
2009-10-28 14:08 UTC, Robert Buchholz (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-10-28 13:56:42 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Robin Park and Dmitri Vinokurov of Alcatel-Lucent reported a Denial of Service vulnerability in ntp before 4.2.4p8 (to be released). Quoting CERT:

NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and
control utility. In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while
routine NTP time transfers use modes 1 through 5. Upon receipt of an
incorrect mode 7 request or a mode 7 error response from an address
which is not listed in a "restrict ... noquery" or "restrict ... ignore"
statement, ntpd will reply with a mode 7 error response (and log a
message). In this case:
o If an attacker spoofs the source address of ntpd host A in a
mode 7 response packet sent to ntpd host B, both A and B will
continuously send each other error responses, for as long as those
packets get through.
o If an attacker spoofs an address of ntpd host A in a mode 7
response packet sent to ntpd host A, A will respond to itself endlessly,
consuming CPU and logging excessively.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-10-28 13:58:53 UTC
Created attachment 208517 [details, diff]
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-10-28 14:08:36 UTC
Created attachment 208519 [details]
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-10-28 14:10:12 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : armin76, klausman
   amd64 : keytoaster, chainsaw
    hppa : jer
     ppc : josejx, ranger
   ppc64 : josejx, ranger
   sparc : fmccor
     x86 : fauli, maekke
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2009-10-28 17:05:56 UTC
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-28 17:59:51 UTC
Correcting liaisons.
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-28 19:14:22 UTC
x86 ok
Comment 7 Tiago Cunha (RETIRED) gentoo-dev 2009-10-28 19:39:59 UTC
sparc ok
Comment 8 Joe Jezak (RETIRED) gentoo-dev 2009-11-09 21:28:59 UTC
ppc/ppc64 are okay.
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-09 20:39:42 UTC
amd64 is fine.

this bug is public now. someone from security will unrestrict the bug as I am just too tired for that now ;)
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2009-12-09 22:35:44 UTC
*** Bug 296350 has been marked as a duplicate of this bug. ***
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-10 11:37:51 UTC
*** Bug 296350 has been marked as a duplicate of this bug. ***
Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-10 11:42:11 UTC
Public via $URL.

base-system: please commit ebuild to the tree with stable keywords as follows:
"amd64 hppa ppc ppc64 sparc x86"

alpha, arm, ia64, s390, and sh: Please stabilize when bumped.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-10 12:13:29 UTC
CVE-2009-3563 (
  ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote
  attackers to cause a denial of service (CPU and bandwidth
  consumption) by using MODE_PRIVATE to send a spoofed (1) request or
  (2) response packet that triggers a continuous exchange of
  MODE_PRIVATE error responses between two NTP daemons.

Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2009-12-10 15:09:27 UTC
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-10 20:02:50 UTC
GLSA request filed.
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2009-12-11 14:44:37 UTC
alpha/arm/ia64/s390/sh stable
Comment 17 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-03 18:27:47 UTC
GLSA 201001-01
Comment 18 Chris Henhawke 2010-01-27 16:33:16 UTC
Yesterday on my network, the DDoS condition had occurred.  Performed the recommended upgrade.  Stopped ntpd on both sides of the connection, and then started them back up.  The DDoS started again almost immediately.

100% CPU utilization on the client, 50% CPU utilization on the server.  3.5 MB/s of constant NTP traffic between the hosts.

If possible, I would like this bug reopened.
Comment 19 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-27 19:34:47 UTC
I'm wondering how that could happen. Do you have pcap dump you can send?
Comment 20 Chris Henhawke 2010-01-27 20:41:56 UTC

I capped these last night while I was in #ntp.

~20MB each, they run for about 5 seconds.  A lot of packets here.
Comment 21 Chris Henhawke 2010-01-29 12:28:28 UTC
I just noticed that craig@g.o. is now on away until the summer.

Can I please have someone check this stuff for me?  I'd like my CPU time and bandwidth back.

And if you don't believe that I'm using the right version...
Comment 22 Stefan Behte (RETIRED) gentoo-dev Security 2010-02-01 20:53:21 UTC
FYI: I'm not away till summer, just one more week (depending on circumstances +1 month maybe). ;)
Comment 23 Chris Henhawke 2010-02-11 18:11:54 UTC
I find it rather hard to believe that only one person can help me with this issue.  CVE to GLSA took less than 24 hours, but I've been waiting for over 2 weeks to get help regarding the same issue.

If I have to wait another month to get some assistance, I'll seriously be considering Debian or BSD when I buy and upgrade my current network to a hardened architecture.
Comment 24 Stefan Behte (RETIRED) gentoo-dev Security 2010-02-14 22:51:28 UTC
a) Your problem seems be some other network glitch as this was patched already. I'm not very keen to analyse your network problems in my free time. To your very great suprise, others members from the security team will most likely feel the same way.

b) If you want fixed timeframes in which your problems are solved, I suggest you buy a distro with professional support (RHEL or SLES) and do not run a distribution that is run by volunteers in their free time.

c) You're free to become a developer yourself or to get out strace & gdb. If you're not able to do that, you might consider calling a consultant that can fix your problems.

d) Don't forget that you neither payed anything, nor did gentoo promise you anything; you cannot scare anyone by saying you will use Debian or BSD. Why should anyone care at all? It will rather make everyone laugh.

e) I will not touch this bug for one month from now on, so that you have enough time to think about b) (or analyse your problems yourself). Writing this has already been a waste of time, I will not take part in any further discussion about the whole issue and am not available until 07th march.