NTP BUG 3020: Refclock impersonation vulnerability
Last update: February 15, 2022 20:59 UTC (43fbd379b)
While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if
ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock.
- Implement martian packet filtering and BCP-38.
ntpd to use an adequate number of time sources.
- Upgrade to 4.2.8p7 or later.
- If you are unable to upgrade and if you are running an OS that has this vulnerability, implement martian packet filters and lobby your OS vendor to fix this problem, or run your refclocks on computers that use OSes that are not vulnerable to these attacks and have your vulnerable machines get their time from protected resources.
- Properly monitor your
This weakness was discovered by Matt Street and others of Cisco ASIG.