NTP BUG 2913: mode 7 loop counter underrun (original) (raw)
Last update: April 22, 2024 18:49 UTC (7e7bd5857)
Summary
| Resolved | 4.2.8p4 | 21 Oct 2015 |
|---|---|---|
| References | Bug 2913 | CVE-2015-7848 |
| Affects | All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77. | Resolved in 4.2.8p4. |
| CVSS2 Score | 4.6 | AV:N/AC:H/Au:M/C:N/I:N/A:C |
Description
If ntpd is configured to enable mode 7 packets, and if the use of mode 7 packets is not properly protected thru the use of the available mode 7 authentication and restriction mechanisms, and if the (possibly spoofed) source IP address is allowed to send mode 7 queries, then an attacker can send a crafted packet to ntpd that will cause it to crash.
Mitigation
- Implement BCP-38.
- Upgrade to 4.2.8p4 or later.
- If you are unable to upgrade:
- In ntp-4.2.8, mode 7 is disabled by default. Don’t enable it.
- If you must enable mode 7:
* configure the use of arequestkeyto control who can issue mode 7 requests.
* configurerestrict noqueryto further limit mode 7 requests to trusted sources.
- Monitor your
ntpdinstances.
Credit
This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
Timeline
- 2015 Oct 21: Public release
- 2015 Oct 6: Early Access Program Release: Premier and Partner Institutional Members
- 2015 Aug 26: Notification to Institutional Members for 1593, 1774, 2382, 2899, and 2902
- 2015 Aug 20: Initial notification of 2902; analysis begins
- 2015 Aug 11: Initial notification of 2899; analysis begins