Last update: January 15, 2024 18:03 UTC (83e32bc41)
| Resolved | 4.2.4p8 4.2.6 |
08 December 2009 |
|---|---|---|
| References | Bug 1331 | CVE-2009-3563 |
| Affects | All releases from xntp2 (1989) (possibly earlier) through 4.2.4 before 4.2.4p8 and all versions of 4.2.5. | Resolved in 4.2.4p8 and 4.2.6. |
| CVSS2 Score | 6.4 | AV:N/AC:L/Au:N/C:N/I:P/A:P |
NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 request or a mode 7 error response from an address which is not listed in a restrict ... noquery or restrict ... ignore statement, ntpd will reply with a mode 7 error response (and log a message). In this case:
ntpd host A in a mode 7 response packet sent to ntpd host B, both A and B will continuously send each other error responses, for as long as those packets get through.ntpd host A in a mode 7 response packet sent to ntpd host A, A will respond to itself endlessly, consuming CPU and logging excessively.restrict ... noquery or restrict ... ignore in your ntp.conf file to limit the source addresses to which ntpd will respond.ntpdc to manage NTP servers outside your network, or for a legitimate outsider to manage your servers. (If either of these is useful, a VPN is probably your friend.)ntpdc mode 7 requests will have a source port not equal to 123 and a destination port of 123, while most legitimate responses will have a source port of 123 and a destination port not equal to 123.This vulnerability was discovered by Robin Park and Dmitri Vinokurov of Alcatel-Lucent.