[ntp:security] FW: notification of potential security issue with ntpd version 4.2.8p3 (current release)

Birdwell, John D "Doug" jbirdwel at ida.org
Fri Sep 25 15:42:54 UTC 2015


WARNING: THE ATTACHMENTS CONTAIN SENSITIVE INFORMATION

Harlan (NTP) & Eric (NTPsec),

Here is the information on the possible vulnerability in ntpd, which I sent to the security at ntp.org address on 8/28 and to Harlan - apparently at an old email address - on 9/4.  I am also forwarding this to security at ntp.org (again).  Please email me a quick reply to let me know you have received this.  Don't hesitate to contact me if you need additional information.  I have many more single packets that excite the same behavior and some Python code to test them against ntpd with ncat if they would help you isolate the issue.

Harlan,

You might want to let whoever watches over the security at ntp.org email account know that there appears to be a problem with follow-ups.  It's not especially comforting for security reports to get lost in the "system".  Also, re your note about encryption using PGP - I haven't used PGP since Zimmerman exited the project, and I've already sent this in the clear twice, so I don't see much point in encrypting this.  There has, however, been no public disclosure (other than, possibly, the unencrypted emails).

Sincerely,
Doug Birdwell
jbirdwel at ida.org
cell: 865-389-6666
________________________________________
From: Birdwell, John D "Doug"
Sent: Friday, September 04, 2015 2:06 PM
To: Harlan Stenn
Cc: Birdwell, John D "Doug"; Wheeler, David A
Subject: FW: notification of potential security issue with ntpd version 4.2.8p3 (current release)

Harlan,

I submitted this to security at ntp.org last Friday and received a reply saying my email was being held for review by a moderator.  I haven't heard anything beyond that, and David Wheeler (a colleague at IDA) suggested I follow up with an email to you to be sure the email didn't get stuck in the "system".  Please let me know if you or others involved with ntp security issues need more information - and let me know you received this so that I know someone is looking into the issue.

Sincerely,
Doug Birdwell
Institute for Defense Analyses
jbirdwell at ida.org
cell: 865-389-6666

________________________________________
From: Birdwell, John D "Doug"
Sent: Friday, August 28, 2015 2:52 PM
To: security at ntp.org
Cc: Birdwell, John D "Doug"; Wheeler, David A
Subject: notification of potential security issue with ntpd version 4.2.8p3 (current release)

WARNING: THE ATTACHMENTS CONTAIN SENSITIVE INFORMATION

I believe we have found a potential vulnerability with the current release of the network time protocol daemon (ntpd / 4.2.8p3).  The short description is:

A single UDP packet sent to port 123 with the proper payload can cause the Network Time Protocol Daemon (ntpd), version 4.2.8p3, to exit with an error code.

This was found using American Fuzzy Lop with modifications we developed to support fuzzing of network servers and clients.  The attached text file (linux format) provides more complete documentation of the tests we have performed and the results, and the attached tar file contains both linux/UNIX and DOS/Windows versions of this document and the files necessary to reproduce the results.  The payload necessary to excite this issue is included in the tar file and is listed in the attached text file.  The other text files in the tar file have linux/UNIX line endings.

This information has not been published or otherwise publicly disclosed.

I included the main IDA number in the attached files, but I am not normally in the DC area and you can reach me directly at my cell number.

Sincerely,
Doug Birdwell
Institute for Defense Analyses
jbirdwel at ida.org
cell: 865-389-6666
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Documentation of a Possible Vulnerability in NTPD 4.2.8p3-LinuxFmt.txt
URL: <http://lists.ntp.org/private/security/attachments/20150925/834d8158/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ntpd-submission-20150828.tar
Type: application/x-tar
Size: 51200 bytes
Desc: ntpd-submission-20150828.tar
URL: <http://lists.ntp.org/private/security/attachments/20150925/834d8158/attachment-0001.tar>


More information about the security mailing list