[ntp:security] [Bug 2945] New: 0rigin: Zero Origin Timestamp Bypass

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Sat Oct 17 08:54:53 UTC 2015


http://bugs.ntp.org/show_bug.cgi?id=2945

             Bug #: 2945
           Summary: 0rigin: Zero Origin Timestamp Bypass
           Product: ntp
           Version: 4.2.8
          Platform: All
        OS/Version: All
            Status: CONFIRMED
          Severity: normal
          Priority: P3
         Component: Security Bugs
        AssignedTo: stenn at ntp.org
        ReportedBy: stenn at ntp.org
                CC: security at ntp.org
             Group: Security
    Classification: Unclassified


Harlan Stenn <stenn at ntp.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |blocking4.2.8+

To distinguish legitimate peer responses from forgeries, a client
  attempts to verify a response packet by ensuring that the origin
  timestamp in the packet matches the origin timestamp it transmitted in
  its last request.  A logic error exists that allows packets with an
  origin timestamp of zero to bypass this check whenever there is not an
  outstanding request to the server.

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list