[ntp:security] [Bug 2779] ntpd accepts unauthenticated packets with symmetric key crypto

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Fri Mar 6 09:11:56 UTC 2015


http://bugs.ntp.org/show_bug.cgi?id=2779

Miroslav Lichvar <mlichvar at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Security test bug           |ntpd accepts
                   |                            |unauthenticated packets
                   |                            |with symmetric key crypto

--- Comment #3 from Miroslav Lichvar <mlichvar at redhat.com> 2015-03-06 09:11:56 UTC ---
When ntpd is configured to use a symmetric key with an NTP server/peer, it
checks if the NTP message authentication code (MAC) in received packets is
valid, but not if there actually is any MAC included. Packets without MAC are
accepted as if they had a valid MAC. This allows a MITM attacker to send false
packets that are accepted by the client/peer without having to know the
symmetric key.

It seems this bug was introduced in 4.2.5p99 and is in all later stable
versions up to 4.2.8p1. Authentication using autokey doesn't have this problem
as there is a check that requires the key ID to be larger than NTP_MAXKEY,
which fails for packets without MAC.

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list