NTP BUG 3011: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

Summary

Resolved	4.2.8p7/	26 Apr 2016
References	Bug 3011	CVE-2016-2516
Affects	All ntp-4 releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.92.	Resolved in 4.2.8p7.
CVSS2 Score	MED 6.3	AV:N/AC:M/Au:S/C:N/I:N/A:C
CVSS3 Score	MED 4.2	CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

Description

If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and if an existing association is unconfigured using the same IP twice on the unconfig directive line, ntpd will abort.

Mitigation

Implement BCP-38.
Upgrade to 4.2.8p7 or later.
Properly monitor your ntpd instances.

Credit

This weakness was discovered by Yihan Lian of the Cloud Security Team, Qihoo 360.

Timeline

2016 Apr 26: Public release
2016 Apr 12: Early Access Program Release: Premier and Partner Institutional Members
2016 Feb 14: Notification to Institutional Members
2016 Jan 12: Initial notification from Cisco