[ntp:security] [Bug 2942] New: Off-path Denial of Service (DoS) attack on authenticated broadcast mode

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Sun Oct 11 06:04:46 UTC 2015


http://bugs.ntp.org/show_bug.cgi?id=2942

             Bug #: 2942
           Summary: Off-path Denial of Service (DoS) attack on
                    authenticated broadcast mode
           Product: ntp
           Version: 4.2.8
          Platform: All
        OS/Version: All
            Status: CONFIRMED
          Severity: normal
          Priority: P5
         Component: Security Bugs
        AssignedTo: stenn at ntp.org
        ReportedBy: stenn at ntp.org
                CC: aanchal4 at bu.edu, security at ntp.org
             Group: Security
    Classification: Unclassified


Harlan Stenn <stenn at ntp.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |blocking4.2.8+

Expected Behavior:
        The protocol should prevent against off-path
        Denial of Service attack in authenticated broadcast mode.

Actual Behavior:
        An off-path attacker can send broadcast packets with bad
        authentication (wrong key, mismatched key, incorrect MAC, etc)
        to broadcast clients. It is observed that the broadcast client tears
        down the association with the broadcast server upon receiving just
        one bad packet. If an attacker keeps sending "bad" authenticated
packets
        frequently, then the broadcast client can never sync with the real
        broadcast server (because of lack of sufficient number of good
samples.)

Implications of the attack:
        An off-path attacker can deny NTP service to the broadcast
        client even in authenticated mode.

Recommendations:
        There are two main problems here:
        a) There is no origin timestamp check on the broadcast
        packets as origin timestamp is set to zero in the broadcast
        server packets.

        b) The client tears down the association and clears the
        state variables on receiving a bad packet.

        Improperly-authenticated packets should be discarded without
        further action.  If ntpd makes state changes to authenticated
        associations in response to unauthenticated or
        improperly-authenticated packets, it is likely to result in a
        Denial of Service vulnerability.

Note: Be aware that this issue could affect other ntpd modes of operation such
as multicast.

This defect was discovered by Aanchal Malhotra <aanchal4 at bu.edu>.

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list