[ntp:security] Fwd: Questions about CVE-2019-11331

Harlan Stenn stenn at nwtime.org
Tue Apr 30 22:49:04 UTC 2019



On 4/30/19 1:59 PM, Danny Mayer wrote:
> Thinking about this some more, I don't see how an off-path attack can
> succeed. A properly written ntp server will check the initial timestamp
> to make sure it matches what it sent and will drop any incoming packet
> that doesn't match that timestamp.
> 
> Am I confused about what this CVE is claiming?

I have not carefully read it, but from what I've seen the CVE report is
... invalid.

H
--
> Danny
> 
> On 4/29/19 10:43 PM, Danny Mayer wrote:
>> is this the impetus for draft-gont-ntp-port-randomization-00.txt?
>>
>> I still don't believe that this is a vulnerability, and I'm not clear
>> why we need to randomize the port. NTP has builtin protections already
>> against attacks like this so I would need to understand why it is
>> considered a vunerability. The contents that I was able to find online
>> told me almost nothing.
>>
>> Danny
>>
>> On 4/29/19 4:41 PM, Harlan Stenn wrote:
>>> On 4/29/2019 11:31 AM, stevos at nwtime.org wrote:
>>>> Harlan and Matt,
>>>>
>>>> Should we reach out to Art Manion? 
>>> Art is at CERT. This report came thru Mitre. Daniel Andolfi is the
>>> most recent contact we have at Mitre.
>>>
>>> There are at least 2 issues here:
>>>
>>> - The CVE was filed and we were never notified
>>> - The content of the CVE was apparently not vetted, and appears
>>> to contain a number of ... bogus claims.
>>>
>>>> On another note, do we have the CVE#s listed in Bugzilla with the
>>>> associated bugs that do get reported? Seems like more folks use the
>>>> CVE# to call out bugs than they do the numbers we assign to them in
>>>> Bugzilla.
>>> With enough money to upgrade support.ntp.org and our bugzilla, we can
>>> more easily link our bug IDs to CVEs. We use support.ntp.org and our
>>> bugzilla because we *use* our bugzilla. We don't do our work from the
>>> CVE website.
>>>
>>> H
>>> --
>>>> Steve
>>>>
>>>> -----Original Message-----
>>>> From: security <security-bounces+stevos=nwtime.org at lists.ntp.org> On
>>>> Behalf Of Harlan Stenn
>>>> Sent: Monday, April 29, 2019 3:53 AM
>>>> To: Matt Ploessel <matt.ploessel at gmail.com>; security at ntp.org
>>>> Subject: [ntp:security] Fwd: Questions about CVE-2019-11331
>>>>
>>>> Matt,
>>>>
>>>> It looks like somebody opened up this CVE and never notified us.
>>>>
>>>> It also looks like this report is bogus, but I just heard about it in
>>>> the last few minutes and I'd like to check it out before I say more.
>>>>
>>>> I've already heard from one big customer asking about it, as they
>>>> gave it a CVSS3 score of 9.8, which seems insane and irresponsible.
>>>>
>>>> Not the sort of thing I want to see at 0345 when I'm about to fall
>>>> asleep.
>>>>
>>>> H
>>>>
>>>> PS - I'm not sending this encrypted because our PGP key has expired
>>>> and Brad hasn't had time to refresh that yet. I've asked him if he
>>>> can get that done sometime "today".
>>>>
>>>> -------- Forwarded Message --------
>>>> Return-Path: <stenn at nwtime.org>
>>>> X-Original-To: stenn at nwtime.org
>>>> Delivered-To: stenn at nwtime.org
>>>> Received: from [10.208.75.157] (75-139-194-196.dhcp.knwc.wa.charter.com
>>>> [75.139.194.196]) (using TLSv1 with cipher AES256-SHA (256/256 bits))
>>>> (No client certificate requested) by chessie.everett.org (Postfix)
>>>> with ESMTPSA id 44t1VS3XtgzL7N; Mon, 29 Apr 2019 10:44:00 +0000 (UTC)
>>>> Subject: Re: Questions about CVE-2019-11331
>>>> From: Harlan Stenn <stenn at nwtime.org>
>>>> To: Marius Rohde <marius.rohde at meinberg.de>
>>>> Cc: Steve Sullivan <stevos at nwtime.org>
>>>> References: <1747911970-17953 at srv-kerioconnect.py.meinberg.de>
>>>> <2d2b3cfb-a8eb-f7aa-f832-ebcc33de8b5f at nwtime.org>
>>>> Openpgp: preference=signencrypt
>>>> Autocrypt: addr=stenn at nwtime.org; prefer-encrypt=mutual; keydata=
>>>> mQGNBFI2xmQBDACrPayw18eU4pIwCvKh7k0iMkAV9cvzs49kBppM+xoH+KKj4QWmkKELD39H
>>>> ngQnT3RkKsTLlwxyLqPdUmeQNAY2M5fsOK+OF6EvwLPK9hbmE3Wx2moX+sbEUxJ2VzFhKSKb
>>>> OPZALXwk1XxL0qBedz0xHYcDwaSAZZkEFXURv2pDIdrmnoUnq2gdC8GpoFJiXoUaCLSYzzaY
>>>> ac4Njw7Mue8IqfzRQb70aMjXl/qmsmfmEVAyGXywDdc/ler4XSgiuYOV7Kf69bj9PFZZSMdJ
>>>> MWgEyZH6lJ0TU5ccR2zp5ZRmWzQQkxJMyH2th7q0Nmz3aX4A0K4yE0Ba9/5Dr7ctpF15BrMF
>>>> aEo4s5lwI6tUnkgMWo265mMzCz4mAPV/ac0w0OXQg7r9E2r0+dRapnzUlG43D0JLDqDr9uRR
>>>> L6IrRQqoCWUC75lfmPYQYSlaTJaK68r3lXd0z1cXJUgVtEL5H3/Z71R2B20twcQVAnw2iIH6
>>>> L5vdrsIjHrMmkqRVbs9nNyEAEQEAAbQ5SGFybGFuIFN0ZW5uIChOZXR3b3JrIFRpbWUgRm91
>>>> bmRhdGlvbikgPHN0ZW5uQG53dGltZS5vcmc+iQG5BBMBAgAjBQJSNsblAhsvBwsJCAcDAgEG
>>>> FQgCCQoLBBYCAwECHgECF4AACgkQyIwAt1pH+kBlzgv/QOg70vdj8wU/z97UPdlbxtN4THAB
>>>> gfSX4N0VPKT5fjX1tFhuXZQAOv7wedR3Trh7TGteyg33TBAFf9A42mXZKi1IxAiQG118Hd8I
>>>> 51rXwnugURIYQaIyQI+vbchRbwVyz+mVLTI/h6FdbsVzT4UFmir+ZMkb/XeZPu0HItk4OZHE
>>>> 6hk+TuTiCnlqlCPLq371fXV54VOb91WZYD8EQFtK02QHGHsQqWvapdphiDVpYehmsPyiTESq
>>>> NMKLVtjtyPkQ6S7QF3slSg+2q3j8lyxEA78Yl0MSFNU8B/BtKgzWP2itBOfi+rtUKg+jOY1V
>>>> /s2uVk2kq2QmHJ/s5k5ldy3qVvoTpxvwBe0+EoBocTHYt+xxp0mTM6YY1xLiQpLznzluqg9z
>>>> qtejX1gZOF4mgLiBIrhXzed3zsAazhTp5rNb1kn0brZFh6JC5Wk941eilnA4LqX8AWo0lmwo
>>>> eb+mpwZK/5lNdage/anpVqft9wJ/8EcvST9TLUO4fPrmT3d/0LpWuQGNBFI2xmQBDADXLsBk
>>>> I7CSa5UXlrNVFJQHER1VxRBKqjWWCh/8Qv9v3p3NrIc2UnhoZ1uWQ2voBGty5Xfy9k4afV5k
>>>> WwDyRDUIb7PX+Tj4HjVVr7qvnOVe/0KzZpNq0Azd0ggFbsM+8mydktHIwJykW0NUsGwPRYuD
>>>> OA0Lro0ohb5IiCt3sSQi1X1hYjo7O1Vmn8Gy/XYOnhnMux+5zDPO2yTkCNX5PocYi9IJJy6p
>>>> Mq1yQV4Y2Dl8KtQzvtq55vCUxx6n0MMzFViGwNW6F4ge9ItO4tDScsgowDrHa208ehwOpv/i
>>>> wjf93lCClQ6vaKmOBX872K/tdY/hwhxPPjgl1bcrOwMRYVemOPPehwnXH5bwclk1hvDQdkJQ
>>>> 5pJOkE4VCryTF/iDAt4g2QnHocUwt3b6/ChUUWmj2GZ22OR12rbnCtLedwp0DpViKPUCQHBO
>>>> vpgXdzE/L9zWar9fqM0EREMgfWbsJc9028qluCcFLIN1gYsq4cC+YGAcOu7HOI5orBBV4m9j
>>>> XfsAEQEAAYkDPgQYAQIACQUCUjbGZAIbLgGpCRDIjAC3Wkf6QMDdIAQZAQIABgUCUjbGZAAK
>>>> CRDfCQ/G52/8P/uWDACe7OEM+VETDRqjQgAwzX+RjCVPvtgrqc1SExS0fV7i1mUUxr/B8io3
>>>> Y1cRHFoFKmedxf8prHZq316Md5u4egjFdTT6ZqEqkK0hvv+i0pRpCa5EX9VIStcJStomZp8F
>>>> cY34grA+EOWITaLQ4qNZUP7rf2e7gq1ubQTj7uLr6HZZvMZ5em+IvrOWEuWDI6yOiI6px04w
>>>> RDfkoR2h6kgdw4V0PT4NjK9WYYKrVCf1bjLlVImNBEcXfvlUTrIYO8y6ptvoUsBQky5pQRvP
>>>> 99Pn42WfyLy50aII6+vyudD4T0yLjXAz4KteUttxtIte64m/F9/7GEIZAxTUcLyOq/7bP4le
>>>> h39jBckwc62iYzeK/VkU/bMMh2D68Z3QylMnhhcW27BcgQHPKsHhmFa2SNytYcuQiSdf9+pj
>>>> 4i32ETz1nJAvYAAqgTF/0PL+8ZNQoEpe/n9woMKrlZrqD4EgFmhQ3bNVhlaXz1nuTZDrwPt1
>>>> yMxBuUNbCF4jFnaruwrSiGTRoIfUZQwAjQglahrV4/mcjfnvbNoseHX0PKd9q+wjg7MIjWqr
>>>> f2CI8Fa6MdanqwYphz43I2yXANKFZuMWsWqyQYlvGuPUlUUcAL3stp24RkzDB1Q+JS0IZJST
>>>> T2JSu0aTfUdWVNqr2UI19eX+zxbOTckSi3Ng14ezG8ZX194ZH10b8JzntQOwmA20pd5JDhug
>>>> zQfASER+CZDiPPcQ4mvC4y7rMrfV6XGQbDynC3ekDxo8SC5SvjaczXMwXg6SZ8iFtEWmEwW9
>>>> r7zPjjIPDrX8w5LXBgxArM5o/HbERpc2EdAvMh1D7LC0SvmoE7fBKxsicVBe4h6vXjEZ+LLr
>>>> /wuZiBld9OnxAUIpwptbBspO6WKTQYvgFH2OeDG27hiE5P4Xs4WSp5j9ez8OVB1iZnA2nCQ+
>>>> tNTjO8c+C/P92vPLx5+bpGRXTXMNaLh34PS3ZsYoUDkKZNhczRZUWJ7nynSbeeyF+QW7SLwA
>>>> qY7O7dyk9LFTsfJqRQJ7tWnIAjJPCwmSgQ8Kl0UJ
>>>> Message-ID: <f7f8449c-5440-334f-0e0c-e97628354e44 at nwtime.org>
>>>> Date: Mon, 29 Apr 2019 03:43:58 -0700
>>>> User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
>>>> Thunderbird/60.6.1
>>>> MIME-Version: 1.0
>>>> In-Reply-To: <2d2b3cfb-a8eb-f7aa-f832-ebcc33de8b5f at nwtime.org>
>>>> Content-Type: text/plain; charset=utf-8
>>>> Content-Language: en-US
>>>> Content-Transfer-Encoding: 8bit
>>>>
>>>> Hi Marius,
>>>>
>>>> Nobody told us about this one.
>>>>
>>>> I'm not certain yet, but this seems completely bogus to me.
>>>>
>>>> I'll loop in some wizards and see what I can find.
>>>>
>>>> H
>>>>
>>>> On 4/29/2019 3:35 AM, Harlan Stenn wrote:
>>>>> Hi Marius,
>>>>>
>>>>> On 4/29/2019 1:37 AM, Marius Rohde wrote:
>>>>>> Hi Harlan,
>>>>>>
>>>>>> we have seen that the problem with the standard port usage is rated
>>>>>> critical in the CVE database.
>>>>>> Do you have more background information? Exists a known exploit,
>>>>>> that is able to do a ntp path-off attack?
>>>>> Which bug corresponds to this CVE report? I'm not seeing it in any
>>>>> of our content.
>>>>>
>>>>> H
>>>>> --
>>>>>> Thank you in advance.
>>>>>>
>>>>>> Mit freundlichem Gruß / With kind regards *Marius Rohde*
>>>>>>
>>>>>> *MEINBERG Funkuhren GmbH & Co. KG*
>>>>>> Lange Wand 9
>>>>>> D-31812 Bad Pyrmont, Germany
>>>>>> Phone: +49 (0)5281 9309-485
>>>>>> Fax: +49 (0)5281 9309-230
>>>>>> Amtsgericht Hannover 17HRA 100322
>>>>>> Geschäftsführer: Günter Meinberg, Werner Meinberg, Andre Hartmann,
>>>>>> Heiko Gerstung
>>>>>> Email: marius.rohde at meinberg.de <http://marius.rohde@meinberg.de>
>>>>>> Internet: www.meinberg.de <https://www.meinberg.de> /
>>>>>> www.meinbergglobal.com <https://www.meinbergglobal.com> /
>>>>>> www.meinberg.academy <https://www.meinberg.academy>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> --- *MEINBERG - Solutions for Time and Frequency Synchronization*
>>>>>>
>>>> --
>>>> Harlan Stenn, Network Time Foundation
>>>> http://nwtime.org - be a Member!
>>>> _______________________________________________
>>>> security mailing list
>>>> security at lists.ntp.org
>>>> http://lists.ntp.org/listinfo/security
>>>>
>>
>>
>> _______________________________________________
>> security mailing list
>> security at lists.ntp.org
>> http://lists.ntp.org/listinfo/security
> 
> _______________________________________________
> security mailing list
> security at lists.ntp.org
> http://lists.ntp.org/listinfo/security
> 

-- 
Harlan Stenn <stenn at nwtime.org>
http://networktimefoundation.org - be a member!


More information about the security mailing list