Executive Summary
Summary | |
---|---|
Title | NTP mode 7 denial-of-service vulnerability |
Informations | |||
---|---|---|---|
Name | VU#568372 | First vendor Publication | 2009-12-08 |
Vendor | VU-CERT | Last vendor Modification | 2010-04-27 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.4 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#568372NTP mode 7 denial-of-service vulnerabilityOverviewNTP contains a vulnerability in the handling of mode 7 requests, which can result in a denial-of-service condition.I. DescriptionNTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 request or a mode 7 error response from an address that is not listed in a "restrict ... noquery" or "restrict ... ignore" segment, ntpd will reply with a mode 7 error response and log a message.If an attacker spoofs the source address of ntpd host A in a mode 7 response packet sent to ntpd host B, both A and B will continuously send each other error responses, for as long as those packets get through. This issue is addressed in NTP 4.2.4p8. Please check with your vendor for an update, or you may download NTP 4.2.4p8 from ntp.org.
References
Thanks to Harlan Stenn for reporting this vulnerability. This document was written by Will Dormann, based on information provided by Harlan Stenn.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/568372 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:11225 | |||
Oval ID: | oval:org.mitre.oval:def:11225 | ||
Title: | ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons. | ||
Description: | ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-3563 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:12141 | |||
Oval ID: | oval:org.mitre.oval:def:12141 | ||
Title: | AIX xntpd denial-of-service vulnerability | ||
Description: | ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-3563 | Version: | 3 |
Platform(s): | IBM AIX 5.3 IBM AIX 6.1 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:12783 | |||
Oval ID: | oval:org.mitre.oval:def:12783 | ||
Title: | DSA-1992-1 chrony -- several | ||
Description: | Several vulnerabilities have been discovered in chrony, a pair of programs which are used to maintain the accuracy of the system clock on a computer. This issues are similar to the NTP security flaw CVE-2009-3563. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0292 chronyd replies to all cmdmon packets with NOHOSTACCESS messages even for unauthorised hosts. An attacker can abuse this behaviour to force two chronyd instances to play packet ping-pong by sending such a packet with spoofed source address and port. This results in high CPU and network usage and thus denial of service conditions. CVE-2010-0293 The client logging facility of chronyd doesn't limit memory that is used to store client information. An attacker can cause chronyd to allocate large amounts of memory by sending NTP or cmdmon packets with spoofed source addresses resulting in memory exhaustion. CVE-2010-0294 chronyd lacks of a rate limit control to the syslog facility when logging received packets from unauthorised hosts. This allows an attacker to cause denial of service conditions via filling up the logs and thus disk space by repeatedly sending invalid cmdmon packets. For the oldstable distribution, this problem has been fixed in version 1.21z-5+etch1. For the stable distribution, this problem has been fixed in version 1.23-6+lenny1. For the testing and unstable distribution, this problem will be fixed soon. We recommend that you upgrade your chrony packages. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1992-1 CVE-2010-0292 CVE-2010-0293 CVE-2010-0294 CVE-2009-3563 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 | Product(s): | chrony |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13488 | |||
Oval ID: | oval:org.mitre.oval:def:13488 | ||
Title: | USN-867-1 -- ntp vulnerability | ||
Description: | Robin Park and Dmitri Vinokurov discovered a logic error in ntpd. A remote attacker could send a crafted NTP mode 7 packet with a spoofed IP address of an affected server and cause a denial of service via CPU and disk resource consumption. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-867-1 CVE-2009-3563 | Version: | 5 |
Platform(s): | Ubuntu 8.04 Ubuntu 8.10 Ubuntu 9.10 Ubuntu 6.06 Ubuntu 9.04 | Product(s): | ntp |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17673 | |||
Oval ID: | oval:org.mitre.oval:def:17673 | ||
Title: | DSA-1948-1 ntp - denial of service | ||
Description: | Robin Park and Dmitri Vinokurov discovered that the daemon component of the ntp package, a reference implementation of the NTP protocol, is not properly reacting to certain incoming packets. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1948-1 CVE-2009-3563 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 Debian GNU/Linux 5.0 | Product(s): | ntp |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:19376 | |||
Oval ID: | oval:org.mitre.oval:def:19376 | ||
Title: | HP-UX Running XNTP, Remote Denial of Service (DoS) and Execution of Arbitrary Code | ||
Description: | ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-3563 | Version: | 9 |
Platform(s): | HP-UX 11 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23033 | |||
Oval ID: | oval:org.mitre.oval:def:23033 | ||
Title: | ELSA-2009:1648: ntp security update (Moderate) | ||
Description: | ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2009:1648-01 CVE-2009-3563 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | ntp |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:29266 | |||
Oval ID: | oval:org.mitre.oval:def:29266 | ||
Title: | RHSA-2009:1648 -- ntp security update (Moderate) | ||
Description: | An updated ntp package that fixes a security issue is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2009:1648 CESA-2009:1648-CentOS 5 CVE-2009-3563 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | ntp |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:7076 | |||
Oval ID: | oval:org.mitre.oval:def:7076 | ||
Title: | NTP mode 7 MODE_PRIVATE Packet Remote Denial of Service Vulnerability | ||
Description: | ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-3563 | Version: | 5 |
Platform(s): | VMWare ESX Server 4.0 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:7310 | |||
Oval ID: | oval:org.mitre.oval:def:7310 | ||
Title: | DSA-1992 chrony -- several vulnerabilities | ||
Description: | Several vulnerabilities have been discovered in chrony, a pair of programs which are used to maintain the accuracy of the system clock on a computer. This issues are similar to the NTP security flaw CVE-2009-3563. The Common Vulnerabilities and Exposures project identifies the following problems: chronyd replies to all cmdmon packets with NOHOSTACCESS messages even for unauthorised hosts. An attacker can abuse this behaviour to force two chronyd instances to play packet ping-pong by sending such a packet with spoofed source address and port. This results in high CPU and network usage and thus denial of service conditions. The client logging facility of chronyd doesn’t limit memory that is used to store client information. An attacker can cause chronyd to allocate large amounts of memory by sending NTP or cmdmon packets with spoofed source addresses resulting in memory exhaustion. chronyd lacks of a rate limit control to the syslog facility when logging received packets from unauthorised hosts. This allows an attacker to cause denial of service conditions via filling up the logs and thus disk space by repeatedly sending invalid cmdmon packets. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1992 CVE-2010-0292 CVE-2010-0293 CVE-2010-0294 CVE-2009-3563 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 | Product(s): | chrony |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:7379 | |||
Oval ID: | oval:org.mitre.oval:def:7379 | ||
Title: | DSA-1948 ntp -- denial of service | ||
Description: | Robin Park and Dmitri Vinokurov discovered that the daemon component of the ntp package, a reference implementation of the NTP protocol, is not properly reacting to certain incoming packets. An unexpected NTP mode 7 packet with spoofed IP data can lead ntpd to reply with a mode 7 response to the spoofed address. This may result in the service playing packet ping-pong with other ntp servers or even itself which causes CPU usage and excessive disk use due to logging. An attacker can use this to conduct denial of service attacks. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1948 CVE-2009-3563 | Version: | 7 |
Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 | Product(s): | ntp |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-04-16 | Name : VMSA-2010-0009: ESXi utilities and ESX Service Console third party updates File : nvt/gb_VMSA-2010-0009.nasl |
2011-08-09 | Name : CentOS Update for ntp CESA-2009:1648 centos4 i386 File : nvt/gb_CESA-2009_1648_ntp_centos4_i386.nasl |
2011-08-09 | Name : CentOS Update for ntp CESA-2009:1648 centos5 i386 File : nvt/gb_CESA-2009_1648_ntp_centos5_i386.nasl |
2011-08-09 | Name : CentOS Update for ntp CESA-2009:1651 centos3 i386 File : nvt/gb_CESA-2009_1651_ntp_centos3_i386.nasl |
2011-06-06 | Name : HP-UX Update for XNTP HPSBUX02639 File : nvt/gb_hp_ux_HPSBUX02639.nasl |
2010-02-10 | Name : Debian Security Advisory DSA 1992-1 (chrony) File : nvt/deb_1992_1.nasl |
2010-01-11 | Name : FreeBSD Security Advisory (FreeBSD-SA-10:02.ntpd.asc) File : nvt/freebsdsa_ntpd2.nasl |
2010-01-07 | Name : Gentoo Security Advisory GLSA 201001-01 (ntp) File : nvt/glsa_201001_01.nasl |
2009-12-15 | Name : NTP mode 7 MODE_PRIVATE Packet Remote Denial of Service Vulnerability File : nvt/ntp_37255.nasl |
2009-12-14 | Name : CentOS Security Advisory CESA-2009:1651 (ntp) File : nvt/ovcesa2009_1651.nasl |
2009-12-14 | Name : RedHat Security Advisory RHSA-2009:1648 File : nvt/RHSA_2009_1648.nasl |
2009-12-14 | Name : CentOS Security Advisory CESA-2009:1648 (ntp) File : nvt/ovcesa2009_1648.nasl |
2009-12-14 | Name : Fedora Core 10 FEDORA-2009-13121 (ntp) File : nvt/fcore_2009_13121.nasl |
2009-12-14 | Name : Fedora Core 11 FEDORA-2009-13090 (ntp) File : nvt/fcore_2009_13090.nasl |
2009-12-14 | Name : Fedora Core 12 FEDORA-2009-13046 (ntp) File : nvt/fcore_2009_13046.nasl |
2009-12-14 | Name : Debian Security Advisory DSA 1948-1 (ntp) File : nvt/deb_1948_1.nasl |
2009-12-14 | Name : RedHat Security Advisory RHSA-2009:1651 File : nvt/RHSA_2009_1651.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2009-343-01 ntp File : nvt/esoft_slk_ssa_2009_343_01.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
60847 | NTP ntpd Mode 7 Request Crafted Packet Reply Loop Remote DoS NTP contains a flaw that may allow a remote denial of service. The issue is triggered when ntpd processes specially crafted MODE_PRIVATE packets, and will result in loss of availability for the service. |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2015-07-16 | IAVM : 2015-A-0150 - Multiple Security Vulnerabilities in Juniper Networks CTPView Severity : Category I - VMSKEY : V0061073 |
2015-05-21 | IAVM : 2015-A-0113 - Multiple Vulnerabilities in Juniper Networks CTPOS Severity : Category I - VMSKEY : V0060737 |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | ntp mode 7 denial of service attempt RuleID : 16350 - Revision : 7 - Type : SERVER-OTHER |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-03-08 | Name : The remote VMware ESX / ESXi host is missing a security-related patch. File : vmware_VMSA-2010-0009_remote.nasl - Type : ACT_GATHER_INFO |
2016-03-08 | Name : The remote VMware ESX host is missing a security-related patch. File : vmware_VMSA-2010-0004_remote.nasl - Type : ACT_GATHER_INFO |
2016-01-28 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL10905.nasl - Type : ACT_GATHER_INFO |
2015-01-07 | Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2015-0002.nasl - Type : ACT_GATHER_INFO |
2015-01-07 | Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2015-0001.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2009-0036.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2009-1651.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2009-1648.nasl - Type : ACT_GATHER_INFO |
2013-05-19 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHNE_42470.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IZ68659.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IZ71613.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IZ71611.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IZ71610.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IZ71608.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IZ71093.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IZ71614.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote AIX host is missing a security patch. File : aix_IZ71071.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20091208_ntp_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2011-04-04 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHNE_41177.nasl - Type : ACT_GATHER_INFO |
2011-04-04 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHNE_41908.nasl - Type : ACT_GATHER_INFO |
2011-04-04 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHNE_41907.nasl - Type : ACT_GATHER_INFO |
2010-10-11 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_xntp-6718.nasl - Type : ACT_GATHER_INFO |
2010-06-01 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2010-0009.nasl - Type : ACT_GATHER_INFO |
2010-05-19 | Name : The remote AIX host is missing a vendor-supplied security patch. File : aix_U832257.nasl - Type : ACT_GATHER_INFO |
2010-03-05 | Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2010-0004.nasl - Type : ACT_GATHER_INFO |
2010-02-25 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201001-01.nasl - Type : ACT_GATHER_INFO |
2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1948.nasl - Type : ACT_GATHER_INFO |
2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1992.nasl - Type : ACT_GATHER_INFO |
2010-01-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_ntp-091211.nasl - Type : ACT_GATHER_INFO |
2010-01-13 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_ntp-091211.nasl - Type : ACT_GATHER_INFO |
2010-01-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_ntp-091215.nasl - Type : ACT_GATHER_INFO |
2010-01-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_ntp-091221.nasl - Type : ACT_GATHER_INFO |
2009-12-21 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12559.nasl - Type : ACT_GATHER_INFO |
2009-12-21 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_xntp-6719.nasl - Type : ACT_GATHER_INFO |
2009-12-14 | Name : The remote Fedora host is missing a security update. File : fedora_2009-13046.nasl - Type : ACT_GATHER_INFO |
2009-12-14 | Name : The remote Fedora host is missing a security update. File : fedora_2009-13090.nasl - Type : ACT_GATHER_INFO |
2009-12-14 | Name : The remote network time service has a denial of service vulnerability. File : ntpd_mode7_ping_pong_dos.nasl - Type : ACT_GATHER_INFO |
2009-12-14 | Name : The remote Fedora host is missing a security update. File : fedora_2009-13121.nasl - Type : ACT_GATHER_INFO |
2009-12-11 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2009-343-01.nasl - Type : ACT_GATHER_INFO |
2009-12-09 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2009-1651.nasl - Type : ACT_GATHER_INFO |
2009-12-09 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-867-1.nasl - Type : ACT_GATHER_INFO |
2009-12-09 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2009-1648.nasl - Type : ACT_GATHER_INFO |
2009-12-09 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2009-1648.nasl - Type : ACT_GATHER_INFO |
2009-12-09 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-328.nasl - Type : ACT_GATHER_INFO |
2009-12-09 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2009-1651.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:07:58 |
|
2013-09-09 21:22:00 |
|
2013-05-11 00:57:12 |
|