NTP BUG 2941: NAK to the Future: Symmetric association authentication bypass via crypto-NAK

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

Summary

Resolved	4.2.8p4.md	21 Oct 2015
References	Bug 2941	CVE-2015-7871
Affects	All ntp-4 releases between 4.2.5p186 up to but not including 4.2.8p4, and 4.3.0 up to but not including 4.3.77.	Resolved in 4.2.8p4.
CVSS2 Score	6.4	AV:N/AC:L/Au:N/C:N/I:P/A:P

Description

Crypto-NAK packets can be used to cause ntpd to accept time from unauthenticated ephemeral symmetric peers by bypassing the authentication required to mobilize peer associations. This vulnerability appears to have been introduced in ntp-4.2.5p186 when the code handling mobilization of new passive symmetric associations (lines 1103-1165) was refactored.

Mitigation

Implement BCP-38.
Upgrade to 4.2.8p4 or later.
If you are unable to upgrade:
- Apply the patch to the bottom of the authentic check block around line 1136 of ntp_proto.c.
Monitor your ntpd instances.

Credit

This weakness was discovered by Matthew Van Gundy of Cisco ASIG.

Timeline

2015 Oct 21: Public release
2015 Oct 6: Early Access Program Release: Premier and Partner Institutional Members
2015 Aug 26: Notification to Institutional Members for 1593, 1774, 2382, 2899, and 2902
2015 Aug 20: Initial notification of 2902; analysis begins
2015 Aug 11: Initial notification of 2899; analysis begins