HP has released an additional security bulletin and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.
Description
The Network Time Protocol (NTP) package contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability is due to an error in handling certain malformed messages. An unauthenticated, remote attacker could send a malicious NTP packet with a spoofed source IP address to a vulnerable host. Once the host processes the packet, it could send a similar packet to another NTP host. This action could start a message loop between both hosts that could cause them to consume excessive CPU resources and disk space writing messages to log files. These two conditions could cause a DoS condition on the affected hosts.
Functional exploit code is available.
NTP.org has confirmed this vulnerability in a changelog and released updated software.
Warning Indicators
NTP versions 4.2.4p7 and prior are vulnerable.
IntelliShield Analysis
This vulnerability can be exploited in one of two ways. It can be used to attack a single system running NTP and cause it to send packets to itself. Alternatively, it could be used to target two systems running NTP. In this case, the two systems would rapidly send messages back and forth between each other, causing a DoS condition on each system as well as consuming network bandwidth to carry the messages.
Depending on how the attack is launched, an unauthenticated, remote attacker could exploit this vulnerability and cause a DoS condition on one or two NTP server systems.
Technical Information
The vulnerability is in the handling of NTP mode 7 (MODE_PRIVATE) messages.
An unauthenticated, remote attacker could send a malicious NTP mode 7 packet to a targeted system. This could cause the system to respond by sending another NTP mode 7 packet to itself or to another NTP host, depending on the source address of the malicious packet. If the malicious packet has a source address of the targeted system, that system will repeatedly send packets to itself. If the malicious packet has a source address of a different NTP host, both hosts will send packets to each other. The work of sending these packets will use all available CPU resources on the one or two affected systems. The exploit could also consume disk space when each message is written to
a log file.
Safeguards
Administrators are advised to apply the appropriate updates.
Administrators are advised to take measures against spoofing at the perimeter firewall.
Administrators are advised to monitor affected systems.
Patches/Software
NTP.org has released updated software at the following link: NTP 4.2.4p8
CentOS packages can be updated using the up2date or yum command.
FreeBSD has released patches at the following HTTP link: ntpd.patch
HP has released updated software at the following links:
NetBSD has released information on obtaining source code patches at the following FTP link: NetBSD
Nortel has released information about updated software at the following link: 2009009932
Red Hat packages can be updated using the up2date or yum command.
Sun has released updated software for registered users at the following links:
SPARC Solaris 9 with patch 117143-02 or later
Solaris 10 xntpd (SUNWntpu) with patch 127724-02 or later
Solaris 10 ntpd (SUNWntp4u) with patch 143725-01 or later
Intel
Solaris 9 with patch 117144-02 or later
Solaris 10 xntpd (SUNWntpu) with patch 127725-02 or later
Solaris 10 ntpd (SUNWntp4u) with patch 143726-01 or later
VMware has released updated software at the following links:
Version 18, April 4, 2011, 4:04 AM: HP has released an additional security bulletin and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.
Version 17, October 6, 2010, 8:04 AM: HP has released an additional security bulletin and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.
Version 16, June 28, 2010, 8:22 AM: VMware has re-released security advisories and provided updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.
Version 15, June 1, 2010, 10:53 AM: VMware has released a security advisory and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.
Version 14, April 27, 2010, 9:26 AM: NetBSD has released a security advisory and updated packages to address the Network Time Protocol package remote message loop denial of service vulnerability.
Version 13, April 14, 2010, 8:53 AM: Sun has re-released an alert notification with updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.
Version 12, March 24, 2010, 11:50 AM: HP has released a security bulletin and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.
Version 11, March 12, 2010, 8:12 AM: Sun has re-released an alert notification and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.
Version 10, March 5, 2010, 9:50 AM: VMware has released a security advisory and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.
Version 9, March 3, 2010, 8:36 AM: MontaVista Software has re-released a security alert and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability. IBM has also released APARs to address this vulnerability.
Version 8, February 23, 2010, 9:36 AM: MontaVista Software has released a security alert and updated software to address the Network Time Protocol package remote message loop denial of service vulnerability.
Version 7, January 15, 2010, 8:50 AM: Sun has released an alert notification and Interim Security Relief software to address the Network Time Protocol package remote message loop denial of service vulnerability.
Version 6, January 7, 2010, 11:07 AM: FreeBSD has released a security advisory and updated packages to address the Network Time Protocol package remote message loop denial of service vulnerability.
Version 5, December 21, 2009, 12:09 PM: Nortel has released a security bulletin regarding updated software to address the Network Time Protocol package remote message loop denial of service vulnerability. CentOS has released additional updated packages to address the vulnerability.
Version 4, December 15, 2009, 5:35 PM: CentOS has re-released updated packages to address the Network Time Protocol package remote message loop denial of service vulnerability.
Version 3, December 11, 2009, 6:44 PM: Cisco has confirmed that additional products are affected by the Network Time Protocol package remote message loop denial of service vulnerability and has issued a bug ID. Functional exploit code is also available.
Version 2, December 9, 2009, 8:13 AM: CentOS has released updated packages to address the Network Time Protocol package remote message loop denial of service vulnerability.
Version 1, December 8, 2009, 5:33 PM: Network Time Protocol package contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available.
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
