join
donate

NTP Bug 3012

Sybil vulnerability: ephemeral association attack

  • Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
  • References: Sec 3012 / CVE-2016-1549 / VU#718152
  • Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.92
  • CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
  • CVSS3: MED 5.3 - (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)
  • Summary: ntpd can be vulnerable to Sybil attacks. If a system is set up to use a trustedkey and if one is not using the feature introduced in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to specify which IPs can serve time, a malicious authenticated peer -- i.e. one where the attacker knows the private symmetric key -- can create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock.
  • Mitigation:
    • Implement BCP-38.
    • Use the 4th argument in the ntp.keys file to limit the IPs that can be time servers.
    • Properly monitor your ntpd instances
  • Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.


This topic: Main > SecurityNotice > NtpBug3012
Topic revision: r1 - 2016-04-27 - 02:33:34 - HarlanStenn
 
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback