Vulnerability Note VU#568372

NTP mode 7 denial-of-service vulnerability

Original Release date: 08 Dec 2009 | Last revised: 22 Jul 2011

Overview

NTP contains a vulnerability in the handling of mode 7 requests, which can result in a denial-of-service condition.

Description

NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 request or a mode 7 error response from an address that is not listed in a "restrict ... noquery" or "restrict ... ignore" segment, ntpd will reply with a mode 7 error response and log a message.

If an attacker spoofs the source address of ntpd host A in a mode 7 response packet sent to ntpd host B, both A and B will continuously send each other error responses, for as long as those packets get through.

If an attacker spoofs an address of ntpd host A in a mode 7 response packet sent to ntpd host A, then host A will respond to itself endlessly, consuming CPU and logging excessively.

Impact

A remote, unauthenticated attacker may be able to cause a denial-of-service condition on a vulnerable NTP server.

Solution

Apply an update
This issue is addressed in NTP 4.2.4p8. Please check with your vendor for an update, or you may download NTP 4.2.4p8 from ntp.org.


Configure NTP to limit source addresses

By using "restrict ... noquery" or "restrict ... ignore" entries in the ntp.conf file, ntpd can be configured to limit the source addresses to which it will respond.

Filter NTP mode 7 packets that specify source and destination port 123

In most cases, ntpdc mode 7 requests will have either a source or destination port of 123, but not both.

Use anti-spoofing IP address filters

RFC 2827 (BCP 38) describes network ingress filtering, which can prevent UDP traffic claiming to be from a local address from entering your network from an outside source. Some ISPs may employ unicast reverse path filtering (uRPF) to limit the spoofed traffic that can enter your network.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Inc.Affected26 Oct 200927 Oct 2009
Cisco Systems, Inc.Affected26 Oct 200913 Dec 2009
Debian GNU/LinuxAffected26 Oct 200908 Dec 2009
Gentoo LinuxAffected26 Oct 200910 Dec 2009
Meinberg Funkuhren GmbH & Co. KGAffected-16 Dec 2009
QNX Software Systems Inc.Affected26 Oct 200907 Dec 2009
Red Hat, Inc.Affected26 Oct 200908 Dec 2009
Sun Microsystems, Inc.Affected26 Oct 200922 Jan 2010
The SCO GroupAffected26 Oct 200929 Oct 2009
UbuntuAffected26 Oct 200909 Dec 2009
Computer AssociatesNot Affected26 Oct 200927 Apr 2010
Extreme NetworksNot Affected26 Oct 200903 Feb 2010
Force10 Networks, Inc.Not Affected26 Oct 200922 Jul 2011
Microsoft CorporationNot Affected26 Oct 200905 Apr 2010
PePLinkNot Affected26 Oct 200904 Dec 2009
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Harlan Stenn for reporting this vulnerability.

This document was written by Will Dormann, based on information provided by Harlan Stenn.

Other Information

  • CVE IDs: CVE-2009-3563
  • Date Public: 08 Dec 2009
  • Date First Published: 08 Dec 2009
  • Date Last Updated: 22 Jul 2011
  • Document Revision: 31

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.