NTP BUG 3454: Unauthenticated packet can reset authenticated interleaved association

Last update: February 15, 2022 15:25 UTC (b158e7036)


Summary

Resolved 4.2.8p11 27 Feb 2018
References Bug 3454 CVE-2018-7185
Affects ntp-4.2.6, up to but not including ntp-4.2.8p11. Resolved in 4.2.8p11.
CVSS2 Score MED 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P
This could score between 2.9 and 6.8.
CVSS3 Score LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
This could score between 2.6 and 3.1.

Description

The NTP Protocol allows for both non-authenticated and authenticated associations, in client/server, symmetric (peer), and several broadcast modes. In addition to the basic NTP operational modes, symmetric mode and broadcast servers can support an interleaved mode of operation. In ntp-4.2.8p4 a bug was inadvertently introduced into the protocol engine that allows a non-authenticated zero-origin (reset) packet to reset an authenticated interleaved peer association. If an attacker can send a packet with a zero-origin timestamp and the source IP address of the “other side” of an interleaved association, the ‘victim’ ntpd will reset its association. The attacker must continue sending these packets in order to maintain the disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6, interleave mode could be entered dynamically. As of ntp-4.2.8p7, interleaved mode must be explicitly configured/enabled.


Mitigation


Credit

This weakness was discovered by Miroslav Lichvar of Red Hat.


Timeline