FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ntp -- Multiple vulnerabilities

Affected packages
11.3 <= FreeBSD < 11.3_7
12.1 <= FreeBSD < 12.1_3
ntp < 4.2.8p14
ntp-devel <= 4.3.99_6

Details

VuXML ID 591a706b-5cdc-11ea-9a0a-206a8a720317
Discovery 2019-05-30
Entry 2020-03-03

nwtime.org reports:

Three ntp vulnerabilities, Depending on configuration, may have little impact up to termination of the ntpd process.

NTP Bug 3610: Process_control() should exit earlier on short packets. On systems that override the default and enable ntpdc (mode 7) fuzz testing detected that a short packet will cause ntpd to read uninitialized data.

NTP Bug 3596: An unauthenticated unmonitored ntpd is vulnerable to attack on IPv4 with highly predictable transmit timestamps. An off-path attacker who can query time from the victim's ntp which receives time from an unauthenticated time source must be able to send from a spoofed IPv4 address of upstream ntp server and and the victim must be able to process a large number of packets with the spoofed IPv4 address of the upstream server. After eight or more successful attacks in a row the attacker can either modify the victim's clock by a small amount or cause ntpd to terminate. The attack is especially effective when unusually short poll intervals have been configured.

NTP Bug 3592: The fix for https://bugs.ntp.org/3445 introduced a bug such that a ntp can be prevented from initiating a time volley to its peer resulting in a DoS.

All three NTP bugs may result in DoS or terimation of the ntp daemon.

References

FreeBSD Advisory SA-20:09.ntp