NTP BUG 3020: Refclock impersonation vulnerability

Last update: February 15, 2022 20:59 UTC (43fbd379b)


Summary

Resolved 4.2.8p7 26 Apr 2016
References Bug 3020 CVE-2016-1551
Affects On a very limited number of OSes, all NTP releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.92. By "very limited number of OSes" we mean no general-purpose OSes have yet been identified that have this vulnerability. Resolved in 4.2.8p7.
CVSS2 Score LOW 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSS3 Score LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock.


Mitigation


Credit

This weakness was discovered by Matt Street and others of Cisco ASIG.


Timeline