[ntp:security] [Bug 3043] Autokey association reset

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Thu May 5 12:45:02 UTC 2016


--- Comment #1 from Miroslav Lichvar <mlichvar at redhat.com> 2016-05-05 12:45:02 UTC ---
When a permanent NTP association is configured with autokey and a packet with
crypto-NAK or bad auth is received, the peer_clear() function is called to
reset autokey and other variables of the association. An attacker could
periodically send to the client spoofed crypto-NAKs or packets with bad MAC and
prevent synchronization of the client with the source.

Before calling peer_clear() the client should check if the origin timestamp is
valid and ignore spoofed packets.

I'm not sure if this is the only DoS attack on autokey or if it's worth fixing,
considering autokey is insecure.

Configure bugmail: https://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the security mailing list