NTP BUG 2672: ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses can be bypassed
Last update: June 28, 2022 20:06 UTC (57417e17c)
While available kernels will prevent 127.0.0.1 addresses from “appearing” on non-localhost IPv4 interfaces, some kernels do not offer the same protection for ::1 source addresses on IPv6 interfaces. Since NTP’s access control is based on source address and localhost addresses generally have no restrictions, an attacker can send malicious control and configuration packets by spoofing ::1 addresses from the outside.
NOTE: This is not really a bug in NTP, it’s a problem with some OSes. If you have one of these OSes where ::1 can be spoofed, ALL ::1 -based ACL restrictions on any application can be bypassed!
- Upgrade to 4.2.8p1 or later.
- Install firewall rules to block packets claiming to come from ::1 from inappropriate network interfaces.
This vulnerability was discovered by Stephen Roettger of the Google Security Team.