[ntp:security] [Bug 2947] Ntpq vulnerable to replay attacks

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Mon Feb 6 13:41:16 UTC 2017


http://bugs.ntp.org/show_bug.cgi?id=2947

Ulrich Windl <windl at ntp.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |windl at ntp.org

--- Comment #2 from Ulrich Windl <windl at ntp.org> 2017-02-06 13:41:16 UTC ---
Comments on attachment 1352: As the ntpq protocol is session-less, it makes
little sense to talk about "starting a session with the server".
A rather spontaneous idea would be similar, however:
Add a new extension field for ntpq requests that consist of a one-time random
number (or some magic octet sequence). A client wanting to change a setting
would request such a number from the server, and then the next command adds
that number as extension field. The server would only accept the command with
extension field if the number matches the value sent (for that client (IP)). So
the replayed packet would be valid according to the signature, but it would not
be valid according to the random number in the extension field. Without such an
extension field, compatibility (and replay) is possible. Drawback is one extra
packet exchange for every change operation.

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list