NTP BUG 3453: Interleaved symmetric mode cannot recover from bad state

Last update: February 15, 2022 15:25 UTC (b158e7036)


Summary

Resolved 4.2.8p11 27 Feb 2018
References Bug 3453 CVE-2018-7184
Affects ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11. Resolved in 4.2.8p11.
CVSS2 Score MED 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N
Could score between 2.9 and 6.8.
CVSS3 Score LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Could score between 2.6 and 6.0.

Description

The fix for NTP Bug 2952 was incomplete, and while it fixed one problem it created another. Specifically, it drops bad packets before updating the “received” timestamp. This means a third-party can inject a packet with a zero-origin timestamp, meaning the sender wants to reset the association, and the transmit timestamp in this bogus packet will be saved as the most recent “received” timestamp. The real remote peer does not know this value and this will disrupt the association until the association resets.


Mitigation


Credit

This weakness was discovered by Miroslav Lichvar of Red Hat.


Timeline