[ntp:security] [Bug 3114] Broadcast Mode Replay Prevention DoS

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Mon Nov 14 22:12:56 UTC 2016


http://bugs.ntp.org/show_bug.cgi?id=3114

--- Comment #27 from Matthew Van Gundy <mvangund at cisco.com> 2016-11-14 22:12:56 UTC ---
(In reply to comment #25)
> Matt,
> 
> I think your CVSS scores are too high.  While AV:N is possible, it seems
> unreasonable.  AV:A is more reasonable.
> 
> NTP Broadcasts are *only* expected to be used on trusted network domains.  AV:N
> is clearly not a trusted network domain.  And the presence of a replay attack
> is evidence that the given network domain is not trustable.

Hi Harlan,

I took another look at it and AV:N is correct.  AV specifies the level of
access that an attacker must have in order to successfully exploit the
vulnerability, and an attacker can readily exploit this vulnerability from a
non-adjacent network.

To exploit this DoS, the attacker does not need to be able to sniff or replay
packets.  The attacker need only spoof the source address of the broadcast
server.  Because ntpd does not use the packet destination address to determine
which association an incoming packet belongs to an attacker can target any NTP
broadcast client by sending the spoofed packets with:
srcaddr=broadcast_server_ip, dstaddr=victim_ip

Though it's not needed for this attack, if the victim's local subnet allows
ingress of broadcast packets, the attacker could also use:
srcaddr=broadcast_server_ip, dstaddr=subnet_broadcast_ip

Thanks,
Matt

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list