NTP BUG 2879: Improve NTP security against buffer comparison timing attacks

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

Summary

Resolved	4.2.8p7	26 Apr 2016
References	Bug 2879	CVE-2016-1550
Affects	All ntp-4 releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.92.	Resolved in 4.2.8p7.
CVSS2 Score	LOW 2.6	AV:L/AC:H/Au:N/C:P/I:P/A:N
CVSS3 Score	MED 4.0	CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

Packet authentication tests have been performed using memcmp() or possibly bcmp(), and it is potentially possible for a local or perhaps LAN-based attacker to send a packet with an authentication payload and indirectly observe how much of the digest has matched.

Mitigation

Upgrade to 4.2.8p7 or later.
Properly monitor your ntpd instances.

Credit

This weakness was discovered independently by Loganaden Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.

Timeline

2016 Apr 26: Public release
2016 Apr 12: Early Access Program Release: Premier and Partner Institutional Members
2016 Feb 14: Notification to Institutional Members
2016 Jan 12: Initial notification from Cisco