[Pool] NTP CVE patches?

Miroslav Lichvar mlichvar at redhat.com
Thu Oct 22 08:33:03 UTC 2015

On Wed, Oct 21, 2015 at 03:13:02PM -0400, Jared Mauch wrote:
> with this public disclosure: http://www.cs.bu.edu/~goldbe/NTPattack.html

> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704

This one is probably the most severe issue from all that went public
yesterday. I think it's just a matter of time before someone attacks
the pool servers and makes a lot of people unhappy.

Unfortunately, it seems the fix included in ntp-4.2.8p4 is bad. It
still allows a spoofed KoD RATE packet to set the mininum polling
interval and effectively disable synchronization. It also completely
breaks peering (symmetric associations). I'm not sure how this passed

Harlan, attached is a proper fix. It applies to 4.2.6p5 and 4.2.8p3.
It would be good if you could make a quick 4.2.8p5 release. Maybe even
include the one-liner for CVE-2015-5300.

> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705

Please note that people using iptables for rate limiting may also have
this vulnerability.

Miroslav Lichvar
-------------- next part --------------
diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.kodtest ntp-4.2.6p5/ntpd/ntp_proto.c
--- ntp-4.2.6p5/ntpd/ntp_proto.c.kodtest	2015-09-24 18:20:19.121981664 +0200
+++ ntp-4.2.6p5/ntpd/ntp_proto.c	2015-09-24 18:20:54.596594166 +0200
@@ -1165,7 +1165,7 @@ receive(
 	peer->ppoll = max(peer->minpoll, pkt->ppoll);
 	if (hismode == MODE_SERVER && hisleap == LEAP_NOTINSYNC &&
 	    hisstratum == STRATUM_UNSPEC && memcmp(&pkt->refid,
-	    "RATE", 4) == 0) {
+	    "RATE", 4) == 0 && !(peer->flash & PKT_TEST_MASK)) {
 		report_event(PEVNT_RATE, peer, NULL);
 		if (pkt->ppoll > peer->minpoll)

More information about the pool mailing list