NTP Bug 2901

Clients that receive a KoD should validate the origin timestamp field.

  • Date Resolved: Stable (4.2.8p4) 21 Oct 2015
  • References: Sec 2901 / CVE-2015-7704 / CVE-2015-7705
  • Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
  • CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
  • Summary: An ntpd client that honors Kiss-of-Death responses will honor KoD messages that have been forged by an attacker, causing it to delay or stop querying its servers for time updates. Also, an attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements KoD rate limiting will send the target machine a KoD response to attempt to reduce the rate of incoming packets, or it may also trigger a firewall block at the server for packets from the target machine. For either of these attacks to succeed, the attacker must know what servers the target is communicating with. An attacker can be anywhere on the Internet and can frequently learn the identity of the target's time source by sending the target a time query.
  • Mitigation:
    • Implement BCP-38.
    • Upgrade to 4.2.8p4, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page
    • If you can't upgrade, restrict who can query ntpd to learn who its servers are, and what IPs are allowed to ask your system for the time. This mitigation is heavy-handed.
    • Monitor your ntpd instances.
  • Note: 4.2.8p4 protects against the first attack. For the second attack, all we can do is warn when it is happening, which we do in 4.2.8p4.
  • Credit: This weakness was discovered by Aanchal Malhotra, Issac E. Cohen, and Sharon Goldberg of Boston University.

This topic: Main > SecurityNotice > NtpBug2901
Topic revision: r1 - 2015-10-23 - 09:04:17 - HarlanStenn
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback