NTP BUG 2945: 0rigin: Zero Origin Timestamp Bypass

Last update: June 28, 2022 20:06 UTC (57417e17c)

Summary

Resolved	4.2.8p6	19 Jan 2016
References	Bug 2945	CVE-2015-8138
Affects	All ntp-4 releases up to, but not including 4.2.8p6, and 4.3.0 up to, but not including 4.3.90.	Resolved in 4.2.8p6
CVSS2 Score	MED 5.0	AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3 Score	MED 5.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (3.7 - LOW if you score AC:H)

Description

To distinguish legitimate peer responses from forgeries, a client attempts to verify a response packet by ensuring that the origin timestamp in the packet matches the origin timestamp it transmitted in its last request. A logic error that allowed packets with an origin timestamp of zero to bypass this check whenever there is not an outstanding request to the server.

Mitigation

Configure ntpd to get time from multiple sources.
Upgrade to 4.2.8p6 or later.](/downloads/)
Monitor your ntpd instances.

Credit

This weakness was discovered by Jonathan Gardner of Cisco ASIG.

Timeline

2016 Jan 19: Public release
2016 Jan 17: Early Access Program Release: Premier and Partner Institutional Members
2015 Nov 5: Notification to Institutional Members
2016 Oct 16: Initial notification from Cisco