NTP BUG 2672: ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses can be bypassed

Last update: February 15, 2022 20:59 UTC (43fbd379b)


Summary

Resolved 4.2.8p1 04 Feb 2015
References Bug 2672 CVE-2014-9751
Affects All NTP4 releases before 4.2.8p1, under at least some versions of MacOS and Linux.
*BSD has not been seen to be vulnerable.
Resolved in 4.2.8p1.
CVSS2 Score 9 AV:N/AC:L/Au:N/C:P/I:P/A:C

Description

While available kernels will prevent 127.0.0.1 addresses from “appearing” on non-localhost IPv4 interfaces, some kernels do not offer the same protection for ::1 source addresses on IPv6 interfaces. Since NTP’s access control is based on source address and localhost addresses generally have no restrictions, an attacker can send malicious control and configuration packets by spoofing ::1 addresses from the outside.

NOTE: This is not really a bug in NTP, it’s a problem with some OSes. If you have one of these OSes where ::1 can be spoofed, ALL ::1 -based ACL restrictions on any application can be bypassed!


Mitigation


Credit

This vulnerability was discovered by Stephen Roettger of the Google Security Team.


Timeline