Bug 1434017 (CVE-2016-9042) - CVE-2016-9042 ntp: DoS via origin timestamp check functionality
Summary: CVE-2016-9042 ntp: DoS via origin timestamp check functionality
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2016-9042
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1434021
TreeView+ depends on / blocked
 
Reported: 2017-03-20 14:43 UTC by Adam Mariš
Modified: 2021-02-17 02:26 UTC (History)
5 users (show)

Fixed In Version: ntp 4.2.8p10
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in NTP, affecting the origin timestamp check function. An attacker able to spoof messages from all of the configured peers could send crafted packets to ntpd, causing later replies from those peers to be discarded, resulting in denial of service.
Clone Of:
Environment:
Last Closed: 2017-03-30 06:06:09 UTC
Embargoed:

Attachments (Terms of Use)

Description Adam Mariš 2017-03-20 14:43:31 UTC 
An exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition. This vulnerability can only be exploited if the attacker can spoof all of the servers.

Affects: ntp-4.0.9, up to but not including ntp-4.2.8p10

Mitigations:

Implement BCP-38.

Configure enough servers/peers that an attacker cannot target all of your time sources.

Properly monitor your ntpd instances, and auto-restart ntpd (without -g) if it stops running.
Comment 3 Adam Mariš 2017-03-20 14:45:03 UTC 
Acknowledgments:

Name: the NTP project
Upstream: Matthew Van Gundy (Cisco)
Comment 5 Adam Mariš 2017-03-23 10:09:10 UTC 
Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1435163]
Comment 6 Martin Prpič 2017-03-29 14:40:04 UTC 
External References:

http://www.talosintelligence.com/reports/TALOS-2016-0260/
Comment 8 Doran Moppert 2017-03-30 06:04:39 UTC 
This flaw is due to an incorrect upstream fix of CVE-2015-8138. ntp as distributed with Fedora and Red Hat Enterprise Linux is not affected by this issue.
Note You need to log in before you can comment on or make changes to this bug.