[Pool] NTP CVE patches?

Miroslav Lichvar mlichvar at redhat.com
Thu Oct 22 08:33:03 UTC 2015


On Wed, Oct 21, 2015 at 03:13:02PM -0400, Jared Mauch wrote:
> with this public disclosure: http://www.cs.bu.edu/~goldbe/NTPattack.html

> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704

This one is probably the most severe issue from all that went public
yesterday. I think it's just a matter of time before someone attacks
the pool servers and makes a lot of people unhappy.

Unfortunately, it seems the fix included in ntp-4.2.8p4 is bad. It
still allows a spoofed KoD RATE packet to set the mininum polling
interval and effectively disable synchronization. It also completely
breaks peering (symmetric associations). I'm not sure how this passed
testing.

Harlan, attached is a proper fix. It applies to 4.2.6p5 and 4.2.8p3.
It would be good if you could make a quick 4.2.8p5 release. Maybe even
include the one-liner for CVE-2015-5300.

> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705

Please note that people using iptables for rate limiting may also have
this vulnerability.

-- 
Miroslav Lichvar
-------------- next part --------------
diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.kodtest ntp-4.2.6p5/ntpd/ntp_proto.c
--- ntp-4.2.6p5/ntpd/ntp_proto.c.kodtest	2015-09-24 18:20:19.121981664 +0200
+++ ntp-4.2.6p5/ntpd/ntp_proto.c	2015-09-24 18:20:54.596594166 +0200
@@ -1165,7 +1165,7 @@ receive(
 	peer->ppoll = max(peer->minpoll, pkt->ppoll);
 	if (hismode == MODE_SERVER && hisleap == LEAP_NOTINSYNC &&
 	    hisstratum == STRATUM_UNSPEC && memcmp(&pkt->refid,
-	    "RATE", 4) == 0) {
+	    "RATE", 4) == 0 && !(peer->flash & PKT_TEST_MASK)) {
 		peer->selbroken++;
 		report_event(PEVNT_RATE, peer, NULL);
 		if (pkt->ppoll > peer->minpoll)


More information about the pool mailing list