NtpBug3415 < Main

---+ NTP Bug 3415
---+++ Provide a way to prevent authenticated symmetric passive peering
   * Date Resolved: Stable (4.2.8p11) 27 Feb 2018
   * References: [[http://bugs.ntp.org/3415][Sec 3415]] / [[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7170][CVE-2018-7170]] / [[http://www.kb.cert.org/vuls/id/961909][VU#961909]]
   * Also See: [[http://bugs.ntp.org/3012][Sec 3012]] / [[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1549][CVE-2016-1549]] / VU#718152
   * Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
   * CVSS2: LOW 3.5 - [[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N)][(AV:N/AC:M/Au:S/C:N/I:P/A:N)]]
   * CVSS3: LOW 3.1 - [[https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C][(CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)]]
   * Summary: =ntpd= can be vulnerable to Sybil attacks.  If a system is set up to use a trustedkey and if one is not using the feature introduced in ntp-4.2.8p6 allowing an optional 4th field in the =ntp.keys= file to specify which IPs can serve time, a malicious authenticated peer -- i.e. one where the attacker knows the private symmetric key -- can create arbitrarily-many ephemeral associations in order to win the clock selection of =ntpd= and modify a victim's clock.  Three additional protections are offered in ntp-4.2.8p11.  One is the new =noepeer= directive, which disables symmetric passive ephemeral peering. Another is the new =ippeerlimit= directive, which limits the number of peers that can be created from an IP. The third extends the functionality of the 4th field in the =ntp.keys= file to include specifying a subnet range.
   * Mitigation:
      * Implement BCP-38.
      * Upgrade to ntp-4.2.8p11 or later from the [[http://www.ntp.org/downloads.html][NTP Project Download Page]] or the [[http://support.ntp.org/download][NTP Public Services Project Download Page]].
      * Use the =noepeer= directive to prohibit symmetric passive ephemeral associations.
      * Use the =ippeerlimit= directive to limit the number of peers that can be created from an IP.
      * Use the 4th argument in the ntp.keys file to limit the IPs and subnets that can be time servers.
      * Have enough sources of time.
      * Properly monitor your =ntpd= instances.
      * If =ntpd= stops running, auto-restart it without =-g= .
   * Credit: This weakness was reported as Bug 3012 by Matthew Van Gundy of Cisco ASIG, and separately by Stefan Moser as Bug 3415.
This topic: Main > SecurityNotice > NtpBug3415
Topic revision: r2 - 2018-08-30 - 17:49:04 - HarlanStenn