NTP BUG 3020: Refclock impersonation vulnerability

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

Summary

Resolved	4.2.8p7	26 Apr 2016
References	Bug 3020	CVE-2016-1551
Affects	On a very limited number of OSes, all NTP releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.92. By "very limited number of OSes" we mean no general-purpose OSes have yet been identified that have this vulnerability.	Resolved in 4.2.8p7.
CVSS2 Score	LOW 2.6	AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSS3 Score	LOW 3.7	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock.

Mitigation

Implement martian packet filtering and BCP-38.
Configure ntpd to use an adequate number of time sources.
Upgrade to 4.2.8p7 or later.
If you are unable to upgrade and if you are running an OS that has this vulnerability, implement martian packet filters and lobby your OS vendor to fix this problem, or run your refclocks on computers that use OSes that are not vulnerable to these attacks and have your vulnerable machines get their time from protected resources.
Properly monitor your ntpd instances.

Credit

This weakness was discovered by Matt Street and others of Cisco ASIG.

Timeline

2016 Apr 26: Public release
2016 Apr 12: Early Access Program Release: Premier and Partner Institutional Members
2016 Feb 14: Notification to Institutional Members
2016 Jan 12: Initial notification from Cisco