NTP Bug 3007


  • Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
  • References: Sec 3007 / CVE-2016-1547 / VU#718152
  • Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.92
  • CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
  • CVSS3: LOW 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
  • Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an off-path attacker can cause a preemptable client association to be demobilized by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled.

    Furthermore, if the attacker keeps sending crypto NAK packets, for example one every second, the victim never has a chance to reestablish the association and synchronize time with that legitimate server.

    For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more stringent checks are performed on incoming packets, but there are still ways to exploit this vulnerability in versions before ntp-4.2.8p7.
  • Mitigation:
  • Credit: This weakness was discovered by Stephen Gray and Matthew Van Gundy of Cisco ASIG.

This topic: Main > SecurityNotice > NtpBug3007
Topic revision: r1 - 2016-04-27 - 02:39:23 - HarlanStenn
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback