NTP BUG 3118: Mode 6 unauthenticated trap information disclosure and DDoS vector
Last update: April 22, 2024 18:49 UTC (7e7bd5857)
Summary
Description
An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd
. If, against long-standing BCP recommendations, restrict default noquery ...
is not specified, a specially crafted control mode packet can set ntpd
traps, providing information disclosure and DDoS amplification, and unset ntpd
traps, disabling legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability.
Mitigation
- Implement BCP-38.
- Use
restrict default noquery ...
in your ntp.conf
file.
- Upgrade to 4.2.8p9 or later.
- Properly monitor your
ntpd
instances, and auto-restart ntpd
(without -g
) if it stops running.
Credit
This weakness was discovered by Matthew Van Gundy of Cisco.
Timeline