Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Vulnerability Alert

Network Time Protocol Package Remote Message Loop Denial of Service Vulnerability

 
Threat Type:CWE-399: Resource Management Errors
IntelliShield ID:19540
Version:19
First Published:2009 December 08 22:33 GMT
Last Published:2013 March 28 19:51 GMT
Port: Not available
CVE:CVE-2009-3563
BugTraq ID:37255
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
CVSS Base:5.0 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:4.1
Related Resources:
View related IPS Signature
 
 
Version Summary:HP has released an additional security bulletin and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.
 
 
Description
The Network Time Protocol (NTP) package contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

The vulnerability is due to an error in handling certain malformed messages.  An unauthenticated, remote attacker could send a malicious NTP packet with a spoofed source IP address to a vulnerable host.  Once the host processes the packet, it could send a similar packet to another NTP host.  This action could start a message loop between both hosts that could cause them to consume excessive CPU resources and disk space writing messages to log files.  These two conditions could cause a DoS condition on the affected hosts.

Functional exploit code is available.

NTP.org has confirmed this vulnerability in a changelog and released updated software.

 
Warning Indicators
NTP versions 4.2.4p7 and prior are vulnerable.
 
IntelliShield Analysis
This vulnerability can be exploited in one of two ways. It can be used to attack a single system running NTP and cause it to send packets to itself. Alternatively, it could be used to target two systems running NTP. In this case, the two systems would rapidly send messages back and forth between each other, causing a DoS condition on each system as well as consuming network bandwidth to carry the messages.
 
Vendor Announcements
Cisco has released Cisco bug IDs CSCsz81239, CSCtd15613, CSCsz93757, CSCtc99277, CSCtc99290, CSCtc99299, CSCtc99306, CSCtc99318, CSCtd15631, CSCtd15623, CSCtd15595, CSCtd15641, and CSCtd75033 that confirm this vulnerability.

IBM has released APARs at the following links: IZ68659 and IZ71047

FreeBSD has released a security advisory at the following link: FreeBSD-SA-10:02

HP has released security bulletins c01961959, c01961950, c02737553, and c03714526 at the following links: HPSBOV02497 SSRT090245, HPSBTU02496 SSRT090245, HPSBUX02639 SSRT100293, and HPSBUX02859 SSRT101144

MontaVista Software has re-released a security alert for registered users on March 2, 2010, at the following link: MontaVista Security Fixes

NetBSD has released a security advisory at the following FTP link: NetBSD-SA2010-005

Nortel has released a security bulletin at the following link: 2009009932

Red Hat has released security advisories at the following links: RHSA-2009:1648 and RHSA-2009:1651

Sun has re-released an alert notification at the following link: 275590

US-CERT has released a vulnerability note at the following link: VU#568372

VMware has re-released security advisories at the following links: VMSA-2010-0009 and VMSA-2010-0004

 
Impact
Depending on how the attack is launched, an unauthenticated, remote attacker could exploit this vulnerability and cause a DoS condition on one or two NTP server systems. 
 
Technical Information
The vulnerability is in the handling of NTP mode 7 (MODE_PRIVATE) messages. 

An unauthenticated, remote attacker could send a malicious NTP mode 7 packet to a targeted system. This could cause the system to respond by sending another NTP mode 7 packet to itself or to another NTP host, depending on the source address of the malicious packet.  If the malicious packet has a source address of the targeted system, that system will repeatedly send packets to itself. If the malicious packet has a source address of a different NTP host, both hosts will send packets to each other.  The work of sending these packets will use all available CPU resources on the one or two affected systems. The exploit could also consume disk space when each message is written to a log file.
 
Safeguards
Administrators are advised to apply the appropriate updates.

Administrators are advised to take measures against spoofing at the perimeter firewall.

Administrators are advised to monitor affected systems.

 
Patches/Software
NTP.org has released updated software at the following link: NTP 4.2.4p8

CentOS packages can be updated using the up2date or yum command.

FreeBSD has released patches at the following HTTP link: ntpd.patch

HP has released updated software at the following links:

Itanium Images
V55_ECO3 (NTP Patch)
V56_ECO4 (NTP Patch)

Alpha Images
V55_ECO3 (NTP Patch)
V56_ECO4 (NTP Patch)

Tru64 UNIX
v5.1B-5 PK7 (NTP Patch)
v5.1B-4 PK6 (NTP Patch)

HP-UX
HP-UX B.11.31 NTP version 4

HP customers are advised to acquire the patches via normal HP support channels.

MontaVista Software has released updated software for registered users at the following links:

PRO 5.0.24
PRO 5.0
PRO 4.0.1
CGE 4.0.1
MOBILINUX 5.0.24
MOBILINUX 4.1
MOBILINUX 4.0.2
MVL 5
MOBILINUX 5.0
CGE 5.1

NetBSD has released information on obtaining source code patches at the following FTP link: NetBSD

Nortel has released information about updated software at the following link: 2009009932

Red Hat packages can be updated using the up2date or yum command.

Sun has released updated software for registered users at the following links:

SPARC
Solaris 9 with patch 117143-02 or later
Solaris 10 xntpd (SUNWntpu) with patch 127724-02 or later
Solaris 10 ntpd (SUNWntp4u) with patch 143725-01 or later

Intel
Solaris 9 with patch 117144-02 or later
Solaris 10 xntpd (SUNWntpu) with patch 127725-02 or later
Solaris 10 ntpd (SUNWntp4u) with patch 143726-01 or later

VMware has released updated software at the following links:

ESXi 4.0
ESXi400-201005401-SG

ESXi 3.5
ESXe350-201006401-I-SG

ESX 4.0
ESX400-201005404-SG

ESX 3.5
ESX350-201006407-SG

VMware vMA 4.0 can be updated to Patch 3 using the sudo /usr/sbin/vima-update update command.


Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
1090/0NTP MODE_PRIVATE Denial of ServiceS6762012 Oct 24 
1090/1NTP MODE_PRIVATE Denial of ServiceS6762012 Oct 24 
1090/2NTP MODE_PRIVATE Denial of ServiceS6762012 Oct 24 
1102/0Impossible IP PacketS4732010 Feb 25 
 
Alert History
 

Version 18, April 4, 2011, 4:04 AM: HP has released an additional security bulletin and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.

Version 17, October 6, 2010, 8:04 AM: HP has released an additional security bulletin and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.

Version 16, June 28, 2010, 8:22 AM: VMware has re-released security advisories and provided updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.

Version 15, June 1, 2010, 10:53 AM: VMware has released a security advisory and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.

Version 14, April 27, 2010, 9:26 AM: NetBSD has released a security advisory and updated packages to address the Network Time Protocol package remote message loop denial of service vulnerability.

Version 13, April 14, 2010, 8:53 AM: Sun has re-released an alert notification with updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.

Version 12, March 24, 2010, 11:50 AM: HP has released a security bulletin and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.

Version 11, March 12, 2010, 8:12 AM: Sun has re-released an alert notification and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.

Version 10, March 5, 2010, 9:50 AM: VMware has released a security advisory and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.

Version 9, March 3, 2010, 8:36 AM: MontaVista Software has re-released a security alert and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.  IBM has also released APARs to address this vulnerability.

Version 8, February 23, 2010, 9:36 AM: MontaVista Software has released a security alert and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.

Version 7, January 15, 2010, 8:50 AM: Sun has released an alert notification and Interim Security Relief software to address the Network Time Protocol package remote message loop denial of service vulnerability.

Version 6, January 7, 2010, 11:07 AM: FreeBSD has released a security advisory and updated packages to address the Network Time Protocol package remote message loop denial of service vulnerability.

Version 5, December 21, 2009, 12:09 PM: Nortel has released a security bulletin regarding updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.  CentOS has released additional updated packages to address the vulnerability.

Version 4, December 15, 2009, 5:35 PM: CentOS has re-released updated packages to address the Network Time Protocol package remote message loop denial of service vulnerability.

Version 3, December 11, 2009, 6:44 PM: Cisco has confirmed that additional products are affected by the Network Time Protocol package remote message loop denial of service vulnerability and has issued a bug ID.  Functional exploit code is also available.

Version 2, December 9, 2009, 8:13 AM: CentOS has released updated packages to address the Network Time Protocol package remote message loop denial of service vulnerability.

Version 1, December 8, 2009, 5:33 PM: Network Time Protocol package contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition.  Updates are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
ntp.orgNetwork Time Protocol (ntp) 4.2 .0a, .2, .2p1, .2p2, .2p3, .2p4, .4, .4p1, .4p2, .4p3, .4p4, .4p5, .4p6, .4p7

Associated Products:
CentOS ProjectCentOS 3 .0 i386, .0 x86_64, .0 s390x, .0 ia64 | 4 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64, .3 i386, .3 x86_64, .4 i386, .4 x86_64, .5 i386, .5 x86_64, .6 i386, .6 x86_64, .7 i386, .7 x86_64 | 5 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64, .3 i386, .3 x86_64
CiscoCisco ACE XML Gateway Software 6.0 (3) | 6.1 Base
CiscoCisco Digital Media Player Software 5.0 Base, .2, .3 | 4.1 Base | 4.2 Base
CiscoCisco IP Interoperability and Communications System (IPICS) 4.0 (1)
CiscoCisco MeetingPlace Server 5.4 (19) | 5.3 Base, (1.15) | 6.0 Base, (1.12)
CiscoCisco NX-OS Software 4.0 (1a)E1(1) | 4.1 .(3), .(4), (2)E1(1), (5) | 5.0 (0.54)
CiscoCisco TelePresence 1.1 .1 | 1.2 .0, .1, .2
CiscoCisco Unified Communications Manager 7.1 (3) | 8.0 Base
CiscoCisco Wide Area Application Services (WAAS) 4.0 (23) | 4.1 (1e) | 4.2 (1)
FreeBSD ProjectFreeBSD 6.3 Base | 6.4 Base | 7.0 Base | 7.1 Base | 7.2 Base | 8.0 Base
HPHP TCP/IP Services for OpenVMS 5.5 alpha, i64 | 5.6 alpha, i64
HPHP-UX 11.11/11i Base | 11.23 Base | 11.31 Base
HPTru64 UNIX 5.1B-4 PK 6 | 5.1B-5 PK 7
IBMAIX 5.3 Base, .7.0, .7.1, .8, .9 | 6.1 .0, .1, .2, .3
MontaVistaMontaVista Linux 5 Base | Professional 4.0.1, 5.0, 5.0.24 | Mobilinux 4.0.2, 4.1, 5.0, 5.0.24 | CGE 4.0.1, 5.1
NetBSD FoundationNetBSD 4.0 Base, .1 | 5.0 Base, .1
Nortel NetworksCommunication Server 1000 Telephony Manager 3.00 .888
Red Hat, Inc.Red Hat Desktop 3 i386, i686, x86_64 | 4 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux 5 IA-32, IA-64, PPC, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Advanced Server 3 amd64 (x86_64), i386, i686, ia64, PPC, s390, s390x | 4 IA-32, IA-64, x86_64, PPC, s390, s390x | 4.8.z IA-32, IA-64, x86_64, PPC, s390, s390x
Red Hat, Inc.Red Hat Enterprise Linux Enterprise Server 3 amd64 (x86_64), i386, i686, ia64 | 4 IA-32, IA-64, x86_64 | 4.8.z IA-32, IA-64, x86_64
Red Hat, Inc.Red Hat Enterprise Linux EUS (Extended Update Support) 5.4.z IA-32, IA-64, PPC, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Workstation 3 amd64 (x86_64), i386, i686, ia64 | 4 IA-32, IA-64, x86_64
Sun Microsystems, Inc.Solaris 9 sparc, intel | 10 sparc, x64/x86
VMware, Inc.vMA 4.0 Base
VMware, Inc.VMware ESX Server 2.5 .5 | 3.0 .3 | 3.5 Base, Update 1, Update 2, Update 3, Update 4 | 4.0 Base
VMware, Inc.VMware ESXi 3.5 Base, Update 1, Update 2, Update 3, Update 4 | 4.0 Base




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield