NTP BUG 3361: 0rigin DoS

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

---

Summary

Resolved	4.2.8p10	21 Mar 2017
References	Bug 3361	CVE-2016-9042
Affects	ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10.	Resolved in 4.2.8p10.
CVSS2 Score	MED 4.9	AV:N/AC:H/Au:N/C:N/I:N/A:C (worst case)
CVSS3 Score	MED 4.4	CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case)

---

Description

An exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition. This vulnerability can only be exploited if the attacker can spoof all of the servers.

---

Mitigation

• Implement BCP-38.
• Configure enough servers/peers that an attacker cannot target all of your time sources.
• Upgrade to 4.2.8p10 or later.
• Properly monitor your ntpd instances, and auto-restart ntpd (without -g) if it stops running.

---

Credit

This weakness was discovered by Matthew Van Gundy of Cisco.

---

Timeline

• 2017 Mar 21: Public release
• 2017 Mar 06: Early Access Program Release: Premier and Partner Institutional Members
• 2017 Mar 06: Notification to Institutional Members
• 2017 Feb 09: Mozilla/Cure53 audit received