[pkg-ntp-maintainers] Bug#560074: ntp: CVE-2009-3563 DoS through mode 7 packets
Nico Golde
nion at debian.org
Tue Dec 8 18:45:29 UTC 2009
Package: ntp
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ntp.
CVE-2009-3563[0]:
| The topology used includes two nodes running ntp and an attacker's PC:
|
| PC---> [node1 ntpd1]:11.0.0.1 --------11.0.0.2:[node2 ntpd2]
|
| PC sends one crafted UDP packet with one byte payload 0x17, i.e. NTP Request in
| mode 7.
| This UDP packet has spoofed source IP of 11.0.0.2, destination = 11.0.0.1,
| source port 123 and destination port 123.
| Node1 responds with mode 7 Error Response to Node2, and here comes something we
| cannot conceive. Ntpd2 responds back with the same mode 7 Error Response to
| Node1, Ntpd1 does again the same, etc. with the aggregate rate of few thousand
| pps. CPU is taken away on both sides, network is busy...
| Better yet, if we spoof the Node1's address 11.0.0.1 as a source, Node1 sends
| all these packets to itself all the time! Endless.
| Payload "97 00 00 00" (Response mode 7) works too.
| If you fix the vulnerability please also make sure to include the
| CVE id in your changelog entry.
Upstream has release 4.2.4p8 to fix this issue.
For further information see:
[0] https://support.ntp.org/bugs/show_bug.cgi?id=1331
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563
http://security-tracker.debian.org/tracker/CVE-2009-3563
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ntp-maintainers/attachments/20091208/ae5d72b7/attachment.pgp>
More information about the pkg-ntp-maintainers
mailing list