join
donate

NTP Bug 3020

Refclock impersonation vulnerability

  • Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
  • References: Sec 3020 / CVE-2016-1551 / VU#718152
  • Affects: On a very limited number of OSes, all NTP releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.92. By "very limited number of OSes" we mean no general-purpose OSes have yet been identified that have this vulnerability.
  • CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
  • CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
  • Summary: While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock.
  • Mitigation:
    • Implement martian packet filtering and BCP-38.
    • Configure ntpd to use an adequate number of time sources.
    • Upgrade to 4.2.8p7, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page
    • If you are unable to upgrade and if you are running an OS that has this vulnerability, implement martian packet filters and lobby your OS vendor to fix this problem, or run your refclocks on computers that use OSes that are not vulnerable to these attacks and have your vulnerable machines get their time from protected resources.
    • Properly monitor your ntpd instances
  • Credit: This weakness was discovered by Matt Street and others of Cisco ASIG.


This topic: Main > SecurityNotice > NtpBug3020
Topic revision: r1 - 2016-04-27 - 03:16:07 - HarlanStenn
 
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback