Update on the latest batch of CVEs

Daniel Franke dfoxfranke at gmail.com
Tue Nov 22 23:22:04 UTC 2016 

NTP Classic announced 10 new CVEs yesterday. Of them, six have no
impact on NTPsec:

CVE-2016-9311: Trap crash
CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and
DDoS vector
CVE-2016-7427: Broadcast Mode Replay Prevention DoS
CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS
CVE-2016-9312: Windows: ntpd DoS by oversized UDP packet
CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass

One we independently found and fixed in 0.9.4 but it impacts 0.9.0
through 0.9.3:

CVE-2016-7433: Reboot sync calculation problem

Note that we didn't treat this one as a security issue at the time. In
retrospect, we probably should have. Low severity, but a vulnerability
nonetheless.

One is bogus:

CVE-2016-7426: Client rate limiting and server responses

The behavior described in this advisory reflects rate-limiting working
as designed, and the resulting potential for denial of service is a
well-understood consequence that I've been harping about for years. I
may add support for a configuration option to exempt mode 4 packets
from rate-limiting, but I'm not going to treat this as an urgent
security issue.

Finally, two do impact NTPsec:

CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal()
CVE-2016-7429: Interface selection attack

I've ported the patches for these issues from NTP Classic and pushed
them to HEAD.

Of these issues, only the first is worth worrying about: processing
certain malformed mode 6 (i.e., ntpq) packets can trigger a null
pointer dereference in ntpd, resulting in a crash. Use of 'restrict
noquery' directives is sufficient to prevent the vulnerable code from
executing, so if you system is configured to only allow ntpq queries
from localhost then this is not remotely exploitable.

CVE-2016-7429 is another DoS vulnerability, but in order for it to be
exploitable you have to have disabled RP filtering in your kernel.
Furthermore, the attacker needs to be positioned on a network
interface different from the one you use to access your time servers.
So, e.g., if you're running ntpd on your home router and have RP
filtering turned off, then an adversary on the internet can prevent
you from syncing with time servers on your LAN, and an adversary on
your LAN can prevent you form syncing with time servers on the
internet.

I'm not quite ready for us to tag a release yet. I still need to
update the NEWS file, and more importantly I need to finish up some
testing, cleanup, and documentation updates left over from my protocol
refactor. I'll get this done ASAP, hopefully by tomorrow.

More information about the devel mailing list