[ntp:security] [Bug 1331] DoS with mode 7 packets (CVE-2009-3563)

Dave Hart davehart at gmail.com
Thu Oct 8 05:17:09 UTC 2009


On Thu, Oct 8, 2009 at 1:27 AM, Danny Mayer <mayer at ntp.org> wrote:
> And for a NTP V5 it would fail as would ntpdc v4 with xntp V3. The mode7
> packets are private and are not guaranteed not to change between major
> versions and that's why the test is there. This is an interoperability
> issue not an attack or security issue.

That is not true.  INFO_ERR_FMT is not used by ntpdc to interoperate
with different versions of ntpd.  Rather, INFO_ERR_IMPL is used for
that purpose.  The test you say is for interoperability is looking for
version < 1 or > 4.  ntpdc always uses version 2, as I said all ntpdc
versions are lumped into one category by this test.

>> If it were not for the need to keep patches simple and focused, I
>> would say all the INFO_ERR_FMT responses should be eliminated from
>> process_private(), dropping each without response.
>
> Which means that you are ignoring legitimate errors thereby throwing out
>  legitimate error responses.

There is no value in responding with INFO_ERR_FMT to requests with
incredible versions.  You keep harping on the need for these
responses, but you have yet to demonstrate it.  I've looked at the
ntpdc code as well as ntp_request.c and I'm convinced responding with
INFO_ERR_FMT for version < 1 or > 4 is not going to help
interoperability.

Cheers,
Dave Hart


More information about the security mailing list