Bug 1434017 (CVE-2016-9042)

Summary: CVE-2016-9042 ntp: DoS via origin timestamp check functionality
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dmoppert, linville, mlichvar, security-response-team, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ntp 4.2.8p10 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in NTP, affecting the origin timestamp check function. An attacker able to spoof messages from all of the configured peers could send crafted packets to ntpd, causing later replies from those peers to be discarded, resulting in denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-30 06:06:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1434021    

Description Adam Mariš 2017-03-20 14:43:31 UTC 
An exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition. This vulnerability can only be exploited if the attacker can spoof all of the servers.

Affects: ntp-4.0.9, up to but not including ntp-4.2.8p10

Mitigations:

Implement BCP-38.

Configure enough servers/peers that an attacker cannot target all of your time sources.

Properly monitor your ntpd instances, and auto-restart ntpd (without -g) if it stops running.
Comment 3 Adam Mariš 2017-03-20 14:45:03 UTC 
Acknowledgments:

Name: the NTP project
Upstream: Matthew Van Gundy (Cisco)
Comment 5 Adam Mariš 2017-03-23 10:09:10 UTC 
Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1435163]
Comment 6 Martin Prpič 2017-03-29 14:40:04 UTC 
External References:

http://www.talosintelligence.com/reports/TALOS-2016-0260/
Comment 8 Doran Moppert 2017-03-30 06:04:39 UTC 
This flaw is due to an incorrect upstream fix of CVE-2015-8138. ntp as distributed with Fedora and Red Hat Enterprise Linux is not affected by this issue.