[ntp:security] [Bug 3119] Trap crash

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Fri Sep 23 07:35:31 UTC 2016


Harlan Stenn <stenn at ntp.org> changed:

           What    |Removed                     |Added
           Priority|P5                          |P2
                 CC|                            |mvangund at cisco.com
              Flags|                            |blocking4.2.8+
           Severity|enhancement                 |critical

--- Comment #1 from Harlan Stenn <stenn at ntp.org> 2016-09-23 07:35:31 UTC ---

An exploitable denial of service vulnerability exists in the trap
functionality of ntpd.  If an ntpd instance is configured to send
traps, a specially crafted network packet can be used to cause a
null pointer dereference resulting in a denial of service.  This
vulnerability can be triggered by a remote unauthenticated attacker.

CVSSv2: 7.1 - (AV:N/AC:M/Au:N/C:N/I:N/A:C)
CVSSv3: 5.9 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

:: Details

When reporting traps, the ntpd report_event(err, peer, str) function
asserts that peer != NULL if err is a "peer event".  Thus if
report_event() can be called with NULL peer parameter, ntpd will
abort() causing a DoS condition.

ntp-4.2.8p7 introduced a variety of validity checks on crypto-NAK
packets to address the nak-dos vulnerability (CVE-2016-1547).  When
any of these validity checks fail, ntpd reports an event to any trap
receivers with: report_event(PEVNT_AUTH, peer, "Invalid_NAK").

If the source address and mode of the incoming crypto-NAK packet do
not correspond to an existing peer, the peer argument will be NULL
causing the INSIST(peer != NULL) assertion to fail when
report_event() attempts to report the event to its trap recipients.

It may also be possible to trigger reporting of a peer event without a
valid peer on other code paths.  For example, check_leapsec() in
ntp_timer.c calls:

    report_event(PEVNT_ARMED, sys_peer, NULL);

If ntpd's sys_peer advertises a leap second and then the host
running ntpd becomes temporarily disconnected, it may be possible
for check_leapsec() to be called without a valid sys_peer leading
to the assertion failure above.

This crash can be reliably triggered on ntp-4.2.8p8.  We are
reporting this defect against NTPsec 0.9.3 as well because it
contains the same incorrect logic in report_event().  However we did
not attempt to exploit this vulnerability on NTPsec because
triggering a call to report_event() with a NULL peer is not as
straightforward as with ntp-4.2.8p8.

The fix for CRYPTO_NAK crash (CVE-2016-4957) introduced in
ntp-4.2.8p8 does not address this vulnerability.

Though traps are not configured in most common NTP environments,
attackers can employ "Network Time Protocol Control Mode
Unauthenticated Trap Information Disclosure and DDoS Amplification
(TALOS-2016-0203) in order to configure a trap in order to exploit this

:: Mitigation

Successful exploitation of this vulnerability requires ntpd to be
configured with trap recipients.  Systems can be protected by
removing all "trap" commands from ntp.conf and adopting the
mitigations for "Network Time Protocol Control Mode Unauthenticated
Trap Information Disclosure and DDoS Amplification Vulnerability"

:: Credit

Discovered by Matthew Van Gundy of Cisco ASIG.

:: Timeline

2016-09-20 - Vendor Disclosure

Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the security mailing list