NTP BUG 3012: Sybil vulnerability: ephemeral association attack (original) (raw)
Last update: June 28, 2022 20:06 UTC (57417e17c)
Summary
| Resolved | 4.2.8p7 | 26 Apr 2016 |
|---|---|---|
| References | Bug 3012 | CVE-2016-1549 |
| Affects | All ntp-4 releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.92. | Resolved in 4.2.8p7 with significant additional protections for this issue in 4.2.8p11. |
| CVSS2 Score | LOW 3.5 | AV:N/AC:M/Au:S/C:N/I:P/A:N |
| CVSS3 Score | MED 5.3 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N |
Description
ntpd can be vulnerable to Sybil attacks. If a system is set up to use a trustedkey and if one is not using the feature introduced in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to specify which IPs can serve time, a malicious authenticated peer – i.e. one where the attacker knows the private symmetric key – can create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim’s clock.
Mitigation
- Implement BCP-38.
- Use the 4th argument in the
ntp.keysfile to limit the IPs that can be time servers. - Properly monitor your
ntpdinstances.
Credit
This weakness was discovered by Matthew Van Gundy of Cisco ASIG.