NTP Bug 3453

Interleaved symmetric mode cannot recover from bad state

  • Date Resolved: Stable (4.2.8p11) 27 Feb 2018
  • References: Sec 3453 / CVE-2018-7184 / VU#961909
  • Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11.
  • CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:P/I:N/A:N) Could score between 2.9 and 6.8.
  • CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L Could score between 2.6 and 6.0.
  • Summary: The fix for NtpBug2952 was incomplete, and while it fixed one problem it created another. Specifically, it drops bad packets before updating the "received" timestamp. This means a third-party can inject a packet with a zero-origin timestamp, meaning the sender wants to reset the association, and the transmit timestamp in this bogus packet will be saved as the most recent "received" timestamp. The real remote peer does not know this value and this will disrupt the association until the association resets.
  • Mitigation:
  • Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.

Reported: 24 Jan 2018

This topic: Main > SecurityNotice > NtpBug3453
Topic revision: r1 - 2018-02-28 - 00:19:18 - HarlanStenn
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback