r3 - 2018-08-31 - 21:04:36 - SteveSullivanYou are here: NTP >  Main Web > SecurityNotice > NtpBug3012P12
NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p12 was released on 14 August 2018. It addresses 1 low-/medium-severity security issue in ntpd, 1 low-severity security issue in ntpq and ntpdc, and provides 27 non-security bugfixes and 4 other improvements over 4.2.8p11.

Please see the NTP Security Notice for vulnerability and mitigation details.

Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.

NTP Bug 3012 (p12 update)

Sybil vulnerability: ephemeral association attack

  • Updated: Stable (4.2.8p12) 14 Aug 2018 - Improve noepeer behavior.
  • Date Resolved: Stable (4.2.8p11) 27 Feb 2018
  • Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
  • References: Sec 3012 / CVE-2018-7170 / VU#961909. While fixed in ntp-4.2.8p7 and with significant additional protections for this issue in 4.2.8p11, ntp-4.2.8p12 includes a fix for an edge case in the new noepeer support. Refer to CVE-2016-1549 / VU#718152 for additional info.
  • Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.94. Resolved in 4.2.8p11. Improved in 4.2.8p12 and 4.3.94.
  • CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
  • CVSS3: MED 5.3 - (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)
  • Summary: ntpd can be vulnerable to Sybil attacks. If a system is set up to use a trustedkey and if one is not using the feature introduced in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to specify which IPs can serve time, a malicious authenticated peer -- i.e. one where the attacker knows the private symmetric key -- can create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock. Two additional protections are offered in ntp-4.2.8p11. One is the noepeer directive, which disables symmetric passive ephemeral peering. The other extends the functionality of the 4th field in the ntp.keys file to include specifying a subnet range.
  • Mitigation:
    • Implement BCP-38.
    • Upgrade to 4.2.8p12, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.
    • Use the noepeer directive to prohibit symmetric passive ephemeral associations.
    • Use the ippeerlimit directive to limit the number of peer associations from an IP.
    • Use the 4th argument in the ntp.keys file to limit the IPs and subnets that can be time servers.
    • Properly monitor your ntpd instances.
  • Credit: This weakness was originally discovered by Matthew Van Gundy of Cisco ASIG. The edge-case hole in the noepeer processing was reported by Martin Burnicki of Meinberg.
Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r3 < r2 < r1 | More topic actions
 
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback