NTP BUG 2672: ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses can be bypassed

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

Summary

Resolved	4.2.8p1	04 Feb 2015
References	Bug 2672	CVE-2014-9751
Affects	All NTP4 releases before 4.2.8p1, under at least some versions of MacOS and Linux. *BSD has not been seen to be vulnerable.	Resolved in 4.2.8p1.
CVSS2 Score	9	AV:N/AC:L/Au:N/C:P/I:P/A:C

Description

While available kernels will prevent 127.0.0.1 addresses from “appearing” on non-localhost IPv4 interfaces, some kernels do not offer the same protection for ::1 source addresses on IPv6 interfaces. Since NTP’s access control is based on source address and localhost addresses generally have no restrictions, an attacker can send malicious control and configuration packets by spoofing ::1 addresses from the outside.

NOTE: This is not really a bug in NTP, it’s a problem with some OSes. If you have one of these OSes where ::1 can be spoofed, ALL ::1 -based ACL restrictions on any application can be bypassed!

Mitigation

Upgrade to 4.2.8p1 or later.
Install firewall rules to block packets claiming to come from ::1 from inappropriate network interfaces.

Credit

This vulnerability was discovered by Stephen Roettger of the Google Security Team.

Timeline

2015 Feb 4: Public release
: Early Access Program Release: Premier and Partner Institutional Members
: Notification to Institutional Members
: Initial notification received; analysis begins