SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#568372

NTP mode 7 denial-of-service vulnerability

Overview

NTP contains a vulnerability in the handling of mode 7 requests, which can result in a denial-of-service condition.

I. Description

NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 request or a mode 7 error response from an address that is not listed in a "restrict ... noquery" or "restrict ... ignore" segment, ntpd will reply with a mode 7 error response and log a message.

If an attacker spoofs the source address of ntpd host A in a mode 7 response packet sent to ntpd host B, both A and B will continuously send each other error responses, for as long as those packets get through.

If an attacker spoofs an address of ntpd host A in a mode 7 response packet sent to ntpd host A, then host A will respond to itself endlessly, consuming CPU and logging excessively.

II. Impact

A remote, unauthenticated attacker may be able to cause a denial-of-service condition on a vulnerable NTP server.

III. Solution

Apply an update

This issue is addressed in NTP 4.2.4p8. Please check with your vendor for an update, or you may download NTP 4.2.4p8 from ntp.org.

Configure NTP to limit source addresses

By using "restrict ... noquery" or "restrict ... ignore" entries in the ntp.conf file, ntpd can be configured to limit the source addresses to which it will respond.

Filter NTP mode 7 packets that specify source and destination port 123

In most cases, ntpdc mode 7 requests will have either a source or destination port of 123, but not both.

Use anti-spoofing IP address filters

RFC 2827 (BCP 38) describes network ingress filtering, which can prevent UDP traffic claiming to be from a local address from entering your network from an outside source. Some ISPs may employ unicast reverse path filtering (uRPF) to limit the spoofed traffic that can enter your network.

Systems Affected

VendorStatusDate NotifiedDate Updated
3com IncUnknown2009-10-262009-10-26
ACCESSUnknown2009-10-262009-10-26
Alcatel-LucentUnknown2009-10-262009-10-26
Apple Inc.Vulnerable2009-10-262009-10-27
AT&TUnknown2009-10-262009-10-26
Avaya, Inc.Unknown2009-10-262009-10-26
Barracuda NetworksUnknown2009-10-262009-10-26
Belkin, Inc.Unknown2009-10-262009-10-26
Borderware TechnologiesUnknown2009-10-262009-10-26
Charlotte's Web NetworksUnknown2009-10-262009-10-26
Check Point Software TechnologiesUnknown2009-10-262009-10-26
Cisco Systems, Inc.Vulnerable2009-10-262009-12-13
ClavisterUnknown2009-10-262009-10-26
Computer AssociatesNot Vulnerable2009-10-262010-04-27
Conectiva Inc.Unknown2009-10-262009-10-26
Cray Inc.Unknown2009-10-262009-10-26
D-Link Systems, Inc.Unknown2009-10-262009-10-26
Debian GNU/LinuxVulnerable2009-10-262009-12-08
EMC CorporationUnknown2009-10-262009-10-26
Engarde Secure LinuxUnknown2009-10-262009-10-26
Enterasys NetworksUnknown2009-10-262009-10-26
EricssonUnknown2009-10-262009-10-26
eSoft, Inc.Unknown2009-10-262009-10-26
Extreme NetworksNot Vulnerable2009-10-262010-02-03
F5 Networks, Inc.Unknown2009-10-262009-10-26
Fedora ProjectUnknown2009-10-262009-10-26
Force10 Networks, Inc.Unknown2009-10-262009-10-26
Fortinet, Inc.Unknown2009-10-262009-10-26
Foundry Networks, Inc.Unknown2009-10-262009-10-26
FreeBSD, Inc.Unknown2009-10-262009-10-26
FujitsuUnknown2009-10-262009-10-26
Gentoo LinuxVulnerable2009-10-262009-12-10
Global Technology AssociatesUnknown2009-10-262009-10-26
Hewlett-Packard CompanyUnknown2009-10-262009-10-26
HitachiUnknown2009-10-262009-10-26
IBM CorporationUnknown2009-10-262009-10-26
IBM eServerUnknown2009-10-262009-10-26
InfobloxUnknown2009-10-262009-10-26
Intel CorporationUnknown2009-10-262009-10-26
Internet Security Systems, Inc.Unknown2009-10-262009-10-26
IntotoUnknown2009-10-262009-10-26
IP FilterUnknown2009-10-262009-10-26
IP Infusion, Inc.Unknown2009-10-262009-10-26
Juniper Networks, Inc.Unknown2009-10-262009-10-26
Luminous NetworksUnknown2009-10-262009-10-26
m0n0wallUnknown2009-10-262009-10-26
Mandriva S. A.Unknown2009-10-262009-10-26
McAfeeUnknown2009-10-262009-10-26
Meinberg Funkuhren GmbH & Co. KGVulnerable2009-12-16
Microsoft CorporationNot Vulnerable2009-10-262010-04-05
MontaVista Software, Inc.Unknown2009-10-262009-10-26
Multitech, Inc.Unknown2009-10-262009-10-26
NEC CorporationUnknown2009-10-262009-10-26
NetAppUnknown2009-10-262009-10-26
NetBSDUnknown2009-10-262009-10-26
netfilterUnknown2009-10-262009-10-26
NokiaUnknown2009-10-262009-10-26
Nortel Networks, Inc.Unknown2009-10-262009-10-26
Novell, Inc.Unknown2009-10-262009-10-26
Openwall GNU/*/LinuxUnknown2009-10-262009-10-26
PePLinkNot Vulnerable2009-10-262009-12-04
Process SoftwareUnknown2009-10-262009-10-26
Q1 LabsUnknown2009-10-262009-10-26
QNX Software Systems Inc.Vulnerable2009-10-262009-12-07
QuaggaUnknown2009-10-262009-10-26
RadWare, Inc.Unknown2009-10-262009-10-26
Red Hat, Inc.Vulnerable2009-10-262009-12-08
Redback Networks, Inc.Unknown2009-10-262009-10-26
SafeNetNot Vulnerable2009-10-262009-10-28
Secureworx, Inc.Unknown2009-10-262009-10-26
Silicon Graphics, Inc.Unknown2009-10-262009-10-26
Slackware Linux Inc.Unknown2009-10-262009-10-26
SmoothWallUnknown2009-10-262009-10-26
SnortUnknown2009-10-262009-10-26
Soapstone NetworksUnknown2009-10-262009-10-26
Sony CorporationUnknown2009-10-262009-10-26
SourcefireUnknown2009-10-262009-10-26
StonesoftUnknown2009-10-262009-10-26
Sun Microsystems, Inc.Vulnerable2009-10-262010-01-22
SUSE LinuxUnknown2009-10-262009-10-26
SymantecUnknown2009-10-262009-10-26
The SCO GroupVulnerable2009-10-262009-10-29
TippingPoint Technologies Inc.Unknown2009-10-262009-10-26
TurbolinuxUnknown2009-10-262009-10-26
U4EA Technologies, Inc.Unknown2009-10-262009-10-26
UbuntuVulnerable2009-10-262009-12-09
UnisysUnknown2009-10-262009-10-26
VMwareUnknown2009-10-262009-10-26
VyattaUnknown2009-10-262009-10-26
Watchguard Technologies, Inc.Unknown2009-10-262009-10-26
Wind River Systems, Inc.Unknown2009-10-262009-10-26
ZyXELUnknown2009-10-262009-10-26

References

https://support.ntp.org/bugs/show_bug.cgi?id=1331
http://tools.ietf.org/html/rfc2827
http://tools.ietf.org/html/rfc3704
http://www.ntp.org/downloads.html
http://www.ubuntu.com/usn/USN-867-1
http://security-tracker.debian.org/tracker/CVE-2009-3563
http://tools.cisco.com/security/center/viewAlert.x?alertId=19540

Credit

Thanks to Harlan Stenn for reporting this vulnerability.

This document was written by Will Dormann, based on information provided by Harlan Stenn.

Other Information

Date Public:2009-12-08
Date First Published:2009-12-08
Date Last Updated:2010-04-27
CERT Advisory: 
CVE-ID(s):CVE-2009-3563
NVD-ID(s):CVE-2009-3563
US-CERT Technical Alerts: 
Metric:0.00
Document Revision:30

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2009 by US-CERT, a government organization
Disclaimers and copyright information
Get a PDF Reader