NTP BUG 3007: CRYPTO-NAK DoS

Last update: June 28, 2022 20:06 UTC (57417e17c)


Summary

Resolved 4.2.8p7 26 Apr 2016
References Bug 3007 CVE-2016-1547
Affects All ntp-4 releases up to, but not including 4.2.8p7,
and 4.3.0 up to, but not including 4.3.92.
Resolved in 4.2.8p7.
CVSS2 Score MED 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3 Score LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

For ntp-4 versions up to but not including ntp-4.2.8p7, an off-path attacker can cause a preemptable client association to be demobilized by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled.

Furthermore, if the attacker keeps sending crypto NAK packets, for example one every second, the victim never has a chance to reestablish the association and synchronize time with that legitimate server.

For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more stringent checks are performed on incoming packets, but there are still ways to exploit this vulnerability in versions before ntp-4.2.8p7.


Mitigation


Credit

This weakness was discovered by Stephen Gray and Matthew Van Gundy of Cisco ASIG.


Timeline