NTP BUG 2779: ntpd accepts unauthenticated packets with symmetric key crypto

Last update: February 15, 2022 20:59 UTC (43fbd379b)


Summary

Resolved 4.2.8p2 07 Apr 2015
References Bug 2779 CVE-2015-1798
Affects All NTP4 releases starting with ntp-4.2.5p99 up to but not including ntp-4.2.8p2
where the installation uses symmetric keys to authenticate remote associations.
Resolved in 4.2.8p2.
CVSS2 Score 5.4 AV:A/AC:M/Au:N/C:P/I:P/A:P

Description

When ntpd is configured to use a symmetric key to authenticate a remote NTP server/peer, it checks if the NTP message authentication code (MAC) in received packets is valid, but not if there actually is any MAC included. Packets without a MAC are accepted as if they had a valid MAC. This allows a MITM attacker to send false packets that are accepted by the client/peer without having to know the symmetric key. The attacker needs to know the transmit timestamp of the client to match it in the forged reply and the false reply needs to reach the client before the genuine reply from the server. The attacker doesn’t necessarily need to be relaying the packets between the client and the server.

Authentication using autokey doesn’t have this problem as there is a check that requires the key ID to be larger than NTP_MAXKEY, which fails for packets without a MAC.


Mitigation


Credit

This issue was discovered by Miroslav Lichvar, of Red Hat.


Timeline