[ntp:security] ntpd security issue using Defensics ntp test suite for anomal mode

Renwang Liu renwang.liu at ericsson.com
Mon Jun 27 06:50:06 UTC 2016


Hi,
     We have come across this issue ,when using the defensic tool for the ntp server security test.

Linux (defensics )------------ntpd (SUT)
Test suite : Defensics NTP-Server test suite case #7607


- STATE THE PROBLEM/CUSTOMER IMPACT
NTPd starts responding from 0.0.0.0 which is causing connection loss with the server as the server doesn't accept response. This happens after packet with Mode anomaly is sent towards the node (see enclosure for detailed packet dump and pcap files).
- HOW TO REPRODUCE THE FAULT
Send 1 packet with crafted mode field
-TOPOLOGY
 ntpd<--- copper cable ---> Linux box
- FREQUENCY
100%
- WORKAROUND
N/A
- RECOVERY
Node restart

Please see the attachment for your referense
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20160627/9e4c62b1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ntpd_mode.tgz
Type: application/x-compressed
Size: 1814 bytes
Desc: ntpd_mode.tgz
URL: <http://lists.ntp.org/private/security/attachments/20160627/9e4c62b1/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iteroperability_and_case.pcapng
Type: application/octet-stream
Size: 4140 bytes
Desc: iteroperability_and_case.pcapng
URL: <http://lists.ntp.org/private/security/attachments/20160627/9e4c62b1/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ntpv3_request_mode_anomaly
Type: application/octet-stream
Size: 48 bytes
Desc: ntpv3_request_mode_anomaly
URL: <http://lists.ntp.org/private/security/attachments/20160627/9e4c62b1/attachment-0001.obj>


More information about the security mailing list