Bug 1274184 (CVE-2015-7705)

Summary: CVE-2015-7705 ntp: denial of service by trigerring rate limiting on NTP server
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dsirrine, mlichvar, moshiro, sardella, slawomir, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ntp 4.2.8p4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-07 13:32:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1296166    
Bug Blocks: 1260670    

Description Martin Prpič 2015-10-22 08:16:59 UTC
A flaw was found in the way NTP handled rate limiting. An attacker able to send a large number of crafted requests to an NTP server could trigger the rate limiting on that server, and prevent clients from getting a usable reply from the server.

The default NTP configuration in Red Hat Enterprise Linux does not enable rate limiting.

External References:

https://www.cs.bu.edu/~goldbe/NTPattack.html

Comment 4 Martin Prpič 2016-01-06 13:57:24 UTC
Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1296166]

Comment 6 Martin Prpič 2016-01-07 13:32:23 UTC
While mitigating this particular issue by adding a log message into the log files, the upstream fix may have inadvertently introduced a new issue that could fill up all log files.

The correct fix for this issue is randomized response rate limiting. However, implementing this issue would radically change the way limiting works in NTP and could potentially break other application's functionality relying on this feature currently.

An additional, less intrusive fix for this issue may be developed at a later time and included in later releases of Red Hat Enterprise Linux.

Rate limiting is by default disabled in the ntp packages shipped in Red Hat Enterprise Linux. To specifically disable rate limiting, use the following workaround.

Mitigation:

Do not add the "limited" configuration option to any restrict lines in the ntp.conf file.