Bug 1811627 (CVE-2020-13817) - CVE-2020-13817 ntp: ntpd using highly predictable transmit timestamps could result in time change or DoS
Summary: CVE-2020-13817 ntp: ntpd using highly predictable transmit timestamps could r...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-13817
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1811628 1813787 1841821
Blocks: 1811629
TreeView+ depends on / blocked
 
Reported: 2020-03-09 11:21 UTC by Michael Kaplan
Modified: 2021-02-16 20:29 UTC (History)
5 users (show)

Fixed In Version: ntp-4.2.8p14, ntp-4.3.100
Doc Type: If docs needed, set a value
Doc Text:
A high-performance ntpd instance that gets its time from unauthenticated IPv4 time sources may be vulnerable to an off-path attacker who can query time from the victim's ntpd instance. An attacker who can send a large number of packets with the spoofed IPv4 address of the upstream server can use this flaw to modify the victim's clock by a limited amount or cause ntpd to exit.
Clone Of:
Environment:
Last Closed: 2020-06-23 17:20:26 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2663 0 None None None 2020-06-23 12:25:18 UTC

Description Michael Kaplan 2020-03-09 11:21:19 UTC
ntpd instance that gets its time from unauthenticated IPv4 time sources may be vulnerable to an off-path attacker who can query time from the victim's ntpd instance. After 8 or more successful attacks in a row, the attacker can either modify the victim's clock by a limited amount or cause ntpd to exit.

Upstream Reference:

http://support.ntp.org/bin/view/Main/NtpBug3596

Comment 1 Michael Kaplan 2020-03-09 11:21:48 UTC
Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1811628]

Comment 2 Huzaifa S. Sidhpurwala 2020-03-16 05:02:25 UTC
External References:

http://support.ntp.org/bin/view/Main/NtpBug3596

Comment 4 Huzaifa S. Sidhpurwala 2020-03-16 05:09:53 UTC
Mitigation:

1. Have enough trustworthy sources of time.
2. If you are serving time to a possibly hostile network, have your system get its time from other than unauthenticated IPv4 over the hostile network.
3. Use NTP packet authentication where appropriate.
4. Pay attention to error messages logged by ntpd.
5. Monitor your ntpd instances. If the pstats command of ntpq shows the value for "bogus origin" is increasing then that association is likely under attack.
6. If you must get unauthenticated time over IPv4 on a hostile network, Use restrict ... noserve to prevent this attack (note that this is a heavy-handed protection), which blocks time service to the specified network.

Comment 6 Huzaifa S. Sidhpurwala 2020-03-16 05:20:48 UTC
Statement:

All versions of ntp package shipped with Red Hat Enterprise Linux are affected by this flaw. However several mitigations exists, please refer to the mitigation section for more details.

Comment 12 Salvatore Bonaccorso 2020-06-05 07:36:09 UTC
Huzaifa, is CVE-2020-13816 a typo here and should it be CVE-2020-13817?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13817 references the http://support.ntp.org/bin/view/Main/NtpBug3596 and https://bugs.ntp.org/show_bug.cgi?id=3596 whilst CVE-2020-13816 is yet RESERVED.

Comment 13 Huzaifa S. Sidhpurwala 2020-06-05 10:00:47 UTC
In reply to comment #12:
> Huzaifa, is CVE-2020-13816 a typo here and should it be CVE-2020-13817?
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13817 references the
> http://support.ntp.org/bin/view/Main/NtpBug3596 and
> https://bugs.ntp.org/show_bug.cgi?id=3596 whilst CVE-2020-13816 is yet
> RESERVED.

i guess so, fixed now

Comment 14 errata-xmlrpc 2020-06-23 12:25:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2663 https://access.redhat.com/errata/RHSA-2020:2663

Comment 15 Product Security DevOps Team 2020-06-23 17:20:26 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13817


Note You need to log in before you can comment on or make changes to this bug.