Bug 1300651 (CVE-2015-8140) - CVE-2015-8140 ntp: ntpq protocol vulnerable to replay attacks
Summary: CVE-2015-8140 ntp: ntpq protocol vulnerable to replay attacks
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-8140
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1300277
Blocks: 1297474
TreeView+ depends on / blocked
 
Reported: 2016-01-21 11:08 UTC by Andrej Nemec
Modified: 2021-02-17 04:28 UTC (History)
2 users (show)

Fixed In Version: ntp-4.2.8p6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-21 11:50:02 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2016-01-21 11:08:24 UTC
The ntpq protocol is vulnerable to replay attacks. The sequence number being included under the signature fails to prevent replay attacks for two reasons. Commands that don't require authentication can be used to move the sequence number forward, and NTP doesn't actually care what sequence number is used so a packet can be replayed at any time. If, for example, an attacker can intercept authenticated reconfiguration commands that would. for example, tell ntpd to connect with a server that turns out to be malicious and a subsequent reconfiguration directive removed that malicious server, the attacker could replay the configuration command to re-establish an association to malicious server.

Upstream bug report:

http://support.ntp.org/bin/view/Main/NtpBug2947

Comment 2 Martin Prpič 2016-01-21 11:50:02 UTC
Upstream has not released a fix for this issue and has opted for publishing a mitigation instead.

Mitigation:

This issue can be mitigated by one of the following methods: disabling ntpq in ntp.conf, configuring ntpd to get time from multiple sources, or using a restriction list in your ntp.conf to limit who is allowed to issue ntpq queries.


Note You need to log in before you can comment on or make changes to this bug.