r1 - 2020-03-04 - 08:27:08 - HarlanStennYou are here: NTP >  Main Web > SecurityNotice > NtpBug3596
NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p15 was released on 23 June 2020. It addresses 1 medium-severity security issue in ntpd, and provides 13 non-security bugfixes over 4.2.8p13.

Please see the NTP Security Notice for vulnerability and mitigation details.

Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.

NTP Bug 3596

Unauthenticated and unmonitored ntpd may be susceptible to IPv4 attack from highly predictable transmit timestamps

  • Date Resolved: Stable (4.2.8p14) 03 Mar 2020
  • References: Sec 3596 / CVE-2019-XXXX
  • Affects: Likely all versions of ntpd up to, but not including ntp-4.2.8p14 and ntp-4.3.100. Resolved in ntp-4.2.8p14 and ntp-4.3.100.
  • CVSS2: 5.4 - (AV:N/AC:H/Au:N/C:N/I:N/A:C)
  • CVSS3: 5.9 - (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
  • Summary: A high-performance ntpd instance that gets its time from unauthenticated IPv4 time sources may be vulnerable to an off-path attacker who can query time from the victim's ntpd instance. The attacker must be able to send and the victim must be able to receive and process a large number of packets with the spoofed IPv4 address of the upstream server. After 8 or more successful attacks in a row, the attacker can either modify the victim's clock by a limited amount or cause ntpd to exit. This attack is most effective in cases where an unusually short poll interval is expressly configured on the victim's ntpd.
  • Mitigation:
    • Have enough trustworthy sources of time.
    • If you are serving time to a possibly hostile network, have your system get its time from other than unauthenticated IPv4 over the hostile network.
    • Use NTP packet authentication where appropriate.
    • Pay attention to error messages logged by ntpd.
    • Monitor your ntpd instances. If the pstats command of ntpq shows the value for "bogus origin" is increasing then that association is likely under attack.
    • If you must get unauthenticated time over IPv4 on a hostile network:
      • Use restrict ... noserve to prevent this attack (note that this is a heavy-handed protection), which blocks time service to the specified network.
      • Upgrade to 4.2.8p14, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page, and appropriately use some or all of the following in your ntp.conf file:
        • server ... xmtnonce
        • pool ... xmtnonce
        • restrict ... serverresponse fuzz
        • pollskewlist default 6|6 (for example)
  • Credit: Reported by Miroslav Lichvar.

  • 2020 Mar 03: Public release
  • 2020 Feb 17: Release to Advance Security Partners
  • 2019 Jun 20: Reported to NTF
Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r1 | More topic actions
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback