NTP BUG 3453: Interleaved symmetric mode cannot recover from bad state

Last update: June 27, 2022 20:45 UTC (51d68a4aa)

Summary

Resolved	4.2.8p11	27 Feb 2018
References	Bug 3453	CVE-2018-7184
Affects	`ntpd` in ntp-4.2.8p4, up to but not including ntp-4.2.8p11.	Resolved in 4.2.8p11.
CVSS2 Score	MED 4.3	AV:N/AC:M/Au:N/C:P/I:N/A:N Could score between 2.9 and 6.8.
CVSS3 Score	LOW 3.1	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L Could score between 2.6 and 6.0.

Description

The fix for NTP Bug 2952 was incomplete, and while it fixed one problem it created another. Specifically, it drops bad packets before updating the “received” timestamp. This means a third-party can inject a packet with a zero-origin timestamp, meaning the sender wants to reset the association, and the transmit timestamp in this bogus packet will be saved as the most recent “received” timestamp. The real remote peer does not know this value and this will disrupt the association until the association resets.

Mitigation

Implement BCP-38.
Upgrade to 4.2.8p11 or later.
Use authentication with peer mode.
Have enough sources of time.
Properly monitor your ntpd instances.
If ntpd stops running, auto-restart it without -g.

Credit

This weakness was discovered by Miroslav Lichvar of Red Hat.

Timeline

2018 Feb 27: Public release
2018 Feb 12: Early Access Program Release: Premier and Partner Institutional Members
2018 Jan 23: Notification to Institutional Members
: Notification from reporter