NTP BUG 2942: Off-path Denial of Service (DoS) attack on authenticated broadcast mode

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

Summary

Resolved	4.2.8p6	19 Jan 2016
References	Bug 2942	CVE-2015-7979
Affects	All ntp-4 releases up to, but not including 4.2.8p6, and 4.3.0 up to, but not including 4.3.90.	Resolved in 4.2.8p6.
CVSS2 Score	MED 5.8	AV:N/AC:M/Au:N/C:N/I:P/A:P

Description

An off-path attacker can send broadcast packets with bad authentication (wrong key, mismatched key, incorrect MAC, etc) to broadcast clients. It is observed that the broadcast client tears down the association with the broadcast server upon receiving just one bad packet.

Mitigation

Implement BCP-38.
Upgrade to 4.2.8p6 or later.](https://downloads.nwtime.org/ntp/4.2.8/)
Monitor your ntpd instances.
If this sort of attack is an active problem for you, you have deeper problems to investigate. Also consider having smaller NTP broadcast domains.

Credit

This weakness was discovered by Aanchal Malhotra of Boston University.

Timeline

2016 Jan 19: Public release
2016 Jan 17: Early Access Program Release: Premier and Partner Institutional Members
2015 Nov 5: Notification to Institutional Members
2016 Oct 16: Initial notification from Cisco