[ntp:security] [Bug 3453] Interleaved symmetric mode cannot recover from bad state

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Fri Jan 26 04:28:53 UTC 2018


--- Comment #1 from Harlan Stenn <stenn at ntp.org> 2018-01-26 04:28:37 UTC ---
Miroslav writes:

When a peer using the interleaved mode receives a packet with non-zero
timestamps, it does not update its state unless the origin timestamp
matches the receive timestamp of the previous packet. This prevents
the protocol from recovering when the peers are sending packets with
incorrect origin timestamps as they will both wait for a response that
the other peer cannot send.

An off-path attacker can exploit this issue to permanently break an
unauthenticated interleaved symmetric association by sending each peer
a spoofed packet with a zero origin timestamp and a random non-zero
receive timestamp. Off-path attackers are expected to be able to
disrupt the protocol with spoofed packets, but the protocol should
recover when the attack stops.

An attacker could potentially exploit it to permanently break an
authenticated association if there was an old authenticated packet
with zero origin timestamp and non-zero receive timestamp which could
be replayed to the peers.

It seems the issue was introduced in 4.2.8p4 and affected both basic
and interleaved modes in slightly different ways. The basic mode was
already fixed (in bug #2952?). The following patch fixes the
interleaved mode by updating the state even if the origin timestamp is

diff -up ntp-4.2.8p10/ntpd/ntp_proto.c.orig ntp-4.2.8p10/ntpd/ntp_proto.c
--- ntp-4.2.8p10/ntpd/ntp_proto.c.orig    2018-01-24 13:35:16.611488502 +0100
+++ ntp-4.2.8p10/ntpd/ntp_proto.c    2018-01-24 13:35:24.113505866 +0100
@@ -1774,7 +1774,6 @@ receive(
         peer->flags |= FLAG_XBOGUS;
         peer->flash |= TEST2;        /* bogus */
-        return; /* Bogus packet, we are done */


Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the security mailing list