Bug 1300651 - (CVE-2015-8140) CVE-2015-8140 ntp: ntpq protocol vulnerable to replay attacks
CVE-2015-8140 ntp: ntpq protocol vulnerable to replay attacks
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160120,repor...
: Security
Depends On: 1300277
Blocks: 1297474
  Show dependency treegraph
 
Reported: 2016-01-21 06:08 EST by Andrej Nemec
Modified: 2016-02-23 13:52 EST (History)
2 users (show)

See Also:
Fixed In Version: ntp-4.2.8p6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-21 06:50:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrej Nemec 2016-01-21 06:08:24 EST
The ntpq protocol is vulnerable to replay attacks. The sequence number being included under the signature fails to prevent replay attacks for two reasons. Commands that don't require authentication can be used to move the sequence number forward, and NTP doesn't actually care what sequence number is used so a packet can be replayed at any time. If, for example, an attacker can intercept authenticated reconfiguration commands that would. for example, tell ntpd to connect with a server that turns out to be malicious and a subsequent reconfiguration directive removed that malicious server, the attacker could replay the configuration command to re-establish an association to malicious server.

Upstream bug report:

http://support.ntp.org/bin/view/Main/NtpBug2947
Comment 2 Martin Prpič 2016-01-21 06:50:02 EST
Upstream has not released a fix for this issue and has opted for publishing a mitigation instead.

Mitigation:

This issue can be mitigated by one of the following methods: disabling ntpq in ntp.conf, configuring ntpd to get time from multiple sources, or using a restriction list in your ntp.conf to limit who is allowed to issue ntpq queries.

Note You need to log in before you can comment on or make changes to this bug.