NTP Bug 3012 (p12 update)

Sybil vulnerability: ephemeral association attack

• Updated: Stable (4.2.8p12) 14 Aug 2018 - Improve noepeer behavior.
• Date Resolved: Stable (4.2.8p11) 27 Feb 2018
• Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
• References: Sec 3012 / CVE-2018-7170 / VU#961909. This exists because of an incomplete fix for CVE-2016-1549 / VU#718152
• Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.94. Resolved in 4.2.8p11. Improved in 4.2.8p12 and 4.3.94.
• CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
• CVSS3: MED 5.3 - (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)
• Summary: ntpd can be vulnerable to Sybil attacks. If a system is set up to use a trustedkey and if one is not using the feature introduced in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to specify which IPs can serve time, a malicious authenticated peer -- i.e. one where the attacker knows the private symmetric key -- can create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock. Two additional protections are offered in ntp-4.2.8p11. One is the noepeer directive, which disables symmetric passive ephemeral peering. The other extends the functionality of the 4th field in the ntp.keys file to include specifying a subnet range.
• Mitigation:
  • Implement BCP-38.
  • Upgrade to 4.2.8p12, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.
  • Use the noepeer directive to prohibit symmetric passive ephemeral associations.
  • Use the ippeerlimit directive to limit the number of peer associations from an IP.
  • Use the 4th argument in the ntp.keys file to limit the IPs and subnets that can be time servers.
  • Properly monitor your ntpd instances.
• Credit: This weakness was originally discovered by Matthew Van Gundy of Cisco ASIG. The edge-case hole in the noepeer processing was reported by Martin Burnicki of Meinberg.