[ntp:security] [Bug 3114] Broadcast Mode Replay Prevention DoS

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Tue Nov 15 01:57:09 UTC 2016


http://bugs.ntp.org/show_bug.cgi?id=3114

--- Comment #28 from Harlan Stenn <stenn at ntp.org> 2016-11-15 01:57:09 UTC ---
(In reply to comment #27)
> (In reply to comment #25)
> > Matt,
> > 
> > I think your CVSS scores are too high.  While AV:N is possible, it seems
> > unreasonable.  AV:A is more reasonable.
> > 
> > NTP Broadcasts are *only* expected to be used on trusted network domains.  AV:N
> > is clearly not a trusted network domain.  And the presence of a replay attack
> > is evidence that the given network domain is not trustable.
> 
> Hi Harlan,
> 
> I took another look at it and AV:N is correct.  AV specifies the level of
> access that an attacker must have in order to successfully exploit the
> vulnerability, and an attacker can readily exploit this vulnerability from a
> non-adjacent network.
> 
> To exploit this DoS, the attacker does not need to be able to sniff or replay
> packets.  The attacker need only spoof the source address of the broadcast
> server.  Because ntpd does not use the packet destination address to determine
> which association an incoming packet belongs to an attacker can target any NTP
> broadcast client by sending the spoofed packets with:
> srcaddr=broadcast_server_ip, dstaddr=victim_ip
> 
> Though it's not needed for this attack, if the victim's local subnet allows
> ingress of broadcast packets, the attacker could also use:
> srcaddr=broadcast_server_ip, dstaddr=subnet_broadcast_ip

Hi Matt,

Sure, but that means you don't have any sort of protection from bogus packets
entering your network.

How is this considered "normal" or "acceptable" practice?

If the attacker is spoofing the source address of the real broadcast server on
the broadcast network that's the Adjacent network, as I scored it.

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list