NTP BUG 2945: 0rigin: Zero Origin Timestamp Bypass

Last update: February 15, 2022 20:59 UTC (43fbd379b)


Summary

Resolved 4.2.8p6 19 Jan 2016
References Bug 2945 CVE-2015-8138
Affects All ntp-4 releases up to, but not including 4.2.8p6,
and 4.3.0 up to, but not including 4.3.90.
Resolved in 4.2.8p6
CVSS2 Score MED 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3 Score MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
(3.7 - LOW if you score AC:H)

Description

To distinguish legitimate peer responses from forgeries, a client attempts to verify a response packet by ensuring that the origin timestamp in the packet matches the origin timestamp it transmitted in its last request. A logic error that allowed packets with an origin timestamp of zero to bypass this check whenever there is not an outstanding request to the server.


Mitigation


Credit

This weakness was discovered by Jonathan Gardner of Cisco ASIG.


Timeline