NTP BUG 2901: Clients that receive a KoD should validate the origin timestamp field

Last update: March 2, 2022 17:28 UTC (616623bea)


Summary

Resolved 4.2.8p4 21 Oct 2015
References Bug 2901 CVE-2015-7704
CVE-2015-7705
Affects All ntp-4 releases up to, but not including 4.2.8p4,
and 4.3.0 up to, but not including 4.3.77.
Resolved in 4.2.8p4.
CVSS2 Score 4.3-5.0 at worst AV:N/AC:M/Au:N/C:N/I:N/A:P

Description

An ntpd client that honors Kiss-of-Death responses will honor KoD messages that have been forged by an attacker, causing it to delay or stop querying its servers for time updates. Also, an attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements KoD rate limiting will send the target machine a KoD response to attempt to reduce the rate of incoming packets, or it may also trigger a firewall block at the server for packets from the target machine. For either of these attacks to succeed, the attacker must know what servers the target is communicating with. An attacker can be anywhere on the Internet and can frequently learn the identity of the target’s time source by sending the target a time query.


Mitigation

NOTE: 4.2.8p4 protects against the first attack. For the second attack, all we can do is warn when it is happening, which we do in 4.2.8p4.


Credit

This weakness was discovered by Aanchal Malhotra, Issac E. Cohen, and Sharon Goldberg of Boston University.


Timeline