FreeBSD Security Advisory FreeBSD-SA-20:09.ntp

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

FreeBSD Security Advisory FreeBSD-SA-20:09.ntp

FreeBSD Security Advisories
Hash: SHA512

FreeBSD-SA-20:09.ntp                                        Security Advisory
                                                          The FreeBSD Project

Topic:          Multiple denial of service in ntpd

Category:       contrib
Module:         ntp
Announced:      2020-03-19
Credits:        Philippe Antoine and Miroslav Lichvar
Affects:        All supported versions of FreeBSD.
Corrected:      2020-03-04 23:54:13 UTC (stable/12, 12.1-STABLE)
                2020-03-19 16:52:41 UTC (releng/12.1, 12.1-RELEASE-p3)
                2020-03-05 00:18:09 UTC (stable/11, 11.3-STABLE)
                2020-03-19 16:52:41 UTC (releng/11.3, 11.3-RELEASE-p7)

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:>.

I.   Background

The ntpd(8) daemon is an implementation of the Network Time Protocol
(NTP) used to synchronize the time of a computer system to a reference
time source.

II.  Problem Description

Three NTP vulnerabilities are addressed by this security advisory.

NTP Bug 3610:  Process_control() should exit earlier on short packets.
On systems that override the default and enable ntpdc (mode 7), fuzz testing
detected a short packet will cause ntpd to read uninitialized data.

NTP Bug 3596:  Due to highly predictable transmit timestamps, an
unauthenticated, unmonitored ntpd is vulnerable to attack over IPv4. A victim
ntpd configured to receive time from an unauthenticated time source is
vulnerable to an off-path attacker with permission to query the victim.  The
attacker must send from a spoofed IPv4 address of an upstream NTP server and
the victim must process a large number of packets with that spoofed IPv4
address.  After eight or more successful attacks in a row, the attacker can
either modify the victim's clock by a small amount or cause ntpd to
terminate.  The attack is especially effective when unusually short poll
intervals have been configured.

NTP Bug 3592:  The fix for introduced a bug such
that an ntpd can be prevented from initiating a time volley to its peer
resulting in a DoS.

III. Impact

All three NTP bugs may result in DoS or terimation of the ntp daemon.

IV.  Workaround

Systems not using ntpd(8) are not vulnerable.

Systems running ntpd should make the following changes:
- - Disable mode 7
- - Use many trustworthy sources of time
- - Use NTP packet authentication
- - Monitor ntpd for error messages indicating attack
- - If only unauthenticated time over IPv4 is available, use the restrict
  configuration directive

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.1-STABLE]
# fetch
# fetch
# gpg --verify ntp.12.patch.asc

[FreeBSD 12.1-RELEASE]
# fetch
# fetch
# gpg --verify ntp.12.1.patch.asc

[FreeBSD 11.3-STABLE]
# fetch
# fetch
# gpg --verify ntp.11.patch.asc

[FreeBSD 11.3-RELEASE]
# fetch
# fetch
# gpg --verify ntp.11.3.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:>.

Restart the applicable daemons, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/12/                                                        r358659
releng/12.1/                                                      r359144
stable/11/                                                        r358660
releng/11.3/                                                      r359144
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://

Or visit the following URL, replacing NNNNNN with the revision number:


VII. References


The latest revision of this advisory is available at

[hidden email] mailing list
To unsubscribe, send any mail to "[hidden email]"