Bug 1434017 – CVE-2016-9042 ntp: DoS via origin timestamp check functionality

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1434017 - (CVE-2016-9042) CVE-2016-9042 ntp: DoS via origin timestamp check functionality

Summary:	CVE-2016-9042 ntp: DoS via origin timestamp check functionality

Status:	CLOSED NOTABUG

Aliases:	CVE-2016-9042

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20170321,repor...
Keywords:	Security

Depends On:
Blocks:	1434021
	Show dependency tree / graph

Reported:	2017-03-20 10:43 EDT by Adam Mariš
Modified:	2017-03-30 02:06 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	ntp 4.2.8p10
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in NTP, affecting the origin timestamp check function. An attacker able to spoof messages from all of the configured peers could send crafted packets to ntpd, causing later replies from those peers to be discarded, resulting in denial of service.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-03-30 02:06:09 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adam Mariš 2017-03-20 10:43:31 EDT

An exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition. This vulnerability can only be exploited if the attacker can spoof all of the servers.

Affects: ntp-4.0.9, up to but not including ntp-4.2.8p10

Mitigations:

Implement BCP-38.

Configure enough servers/peers that an attacker cannot target all of your time sources.

Properly monitor your ntpd instances, and auto-restart ntpd (without -g) if it stops running.

Comment 3 Adam Mariš 2017-03-20 10:45:03 EDT

Acknowledgments:

Name: the NTP project
Upstream: Matthew Van Gundy (Cisco)

Comment 5 Adam Mariš 2017-03-23 06:09:10 EDT

Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1435163]

Comment 6 Martin Prpič 2017-03-29 10:40:04 EDT

External References:

http://www.talosintelligence.com/reports/TALOS-2016-0260/

Comment 8 Doran Moppert 2017-03-30 02:04:39 EDT

This flaw is due to an incorrect upstream fix of CVE-2015-8138. ntp as distributed with Fedora and Red Hat Enterprise Linux is not affected by this issue.

Note You need to log in before you can comment on or make changes to this bug.