ntp: CVE-2009-3563 DoS through mode 7 packets

Debian Bug report logs - #560074
ntp: CVE-2009-3563 DoS through mode 7 packets

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: ntp: CVE-2009-3563 DoS through mode 7 packets

Date: Tue, 8 Dec 2009 19:45:29 +0100

[Message part 1 (text/plain, inline)]

Package: ntp
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ntp.

CVE-2009-3563[0]:
| The topology used includes two nodes running ntp and an attacker's PC:
| 
| PC--->  [node1 ntpd1]:11.0.0.1 --------11.0.0.2:[node2 ntpd2]
| 
| PC sends one crafted UDP packet with one byte payload 0x17, i.e. NTP Request in
| mode 7.
| This UDP packet has spoofed source IP of 11.0.0.2, destination = 11.0.0.1,
| source port 123 and destination port 123.
| Node1 responds with mode 7 Error Response to Node2, and here comes something we
| cannot conceive. Ntpd2 responds back with the same mode 7 Error Response to
| Node1, Ntpd1 does again the same, etc. with the aggregate rate of few thousand
| pps. CPU is taken away on both sides, network is busy...
| Better yet, if we spoof the Node1's address 11.0.0.1 as a source, Node1 sends
| all these packets to itself all the time! Endless.
| Payload "97 00 00 00" (Response mode 7) works too.
| If you fix the vulnerability please also make sure to include the
| CVE id in your changelog entry.

Upstream has release 4.2.4p8 to fix this issue.

For further information see:

[0] https://support.ntp.org/bugs/show_bug.cgi?id=1331
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563
    http://security-tracker.debian.org/tracker/CVE-2009-3563

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 560074@bugs.debian.org (full text, mbox, reply):

From: Jamie Strandboge <jamie@ubuntu.com>

To: Debian Bug Tracking System <560074@bugs.debian.org>

Subject: ntp: CVE-2009-3563 DoS through mode 7 packets

Date: Tue, 08 Dec 2009 15:08:04 -0600

[Message part 1 (text/plain, inline)]

Package: ntp
Version: 1:4.2.4p6+dfsg-2
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu karmic ubuntu-patch

In Ubuntu, we've applied the attached patch to achieve the following:

  * SECURITY UPDATE: fix DoS with mode 7 (MODE_PRIVATE) packets
    - debian/patches/CVE-2009-3563.patch: update ntpd/ntp_request.c to
      not send a response packet for and rate limit logging of invalid mode 7
      requests and responses
    - CVE-2009-3563

We thought you might be interested in doing the same. Here are a couple
more references:
https://support.ntp.org/bugs/show_bug.cgi?id=1331
http://support.ntp.org/bin/view/Main/SecurityNotice#DoS_attack_from_certain_NTP_mode

The attached patch should work fine going back to etch as well (with a
little fuzz), as we used it as far back as ntp-4.2.0a+stable.

Jamie

-- System Information:
Debian Release: squeeze/sid
  APT prefers karmic-updates
  APT policy: (500, 'karmic-updates'), (500, 'karmic-security'), (500, 'karmic')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-15-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

[tmpE6eNAK (text/x-diff, attachment)]

Message #15 received at 560074-close@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: 560074-close@bugs.debian.org

Subject: Bug#560074: fixed in ntp 1:4.2.4p8+dfsg-1

Date: Tue, 08 Dec 2009 22:33:06 +0000

Source: ntp
Source-Version: 1:4.2.4p8+dfsg-1

We believe that the bug you reported is fixed in the latest version of
ntp, which is due to be installed in the Debian FTP archive:

ntp-doc_4.2.4p8+dfsg-1_all.deb
  to main/n/ntp/ntp-doc_4.2.4p8+dfsg-1_all.deb
ntp_4.2.4p8+dfsg-1.debian.tar.gz
  to main/n/ntp/ntp_4.2.4p8+dfsg-1.debian.tar.gz
ntp_4.2.4p8+dfsg-1.dsc
  to main/n/ntp/ntp_4.2.4p8+dfsg-1.dsc
ntp_4.2.4p8+dfsg-1_amd64.deb
  to main/n/ntp/ntp_4.2.4p8+dfsg-1_amd64.deb
ntp_4.2.4p8+dfsg.orig.tar.gz
  to main/n/ntp/ntp_4.2.4p8+dfsg.orig.tar.gz
ntpdate_4.2.4p8+dfsg-1_amd64.deb
  to main/n/ntp/ntpdate_4.2.4p8+dfsg-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 560074@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated ntp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 08 Dec 2009 21:41:51 +0100
Source: ntp
Binary: ntp ntpdate ntp-doc
Architecture: source all amd64
Version: 1:4.2.4p8+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description: 
 ntp        - Network Time Protocol daemon and utility programs
 ntp-doc    - Network Time Protocol documentation
 ntpdate    - client for setting system time from NTP servers
Closes: 560074
Changes: 
 ntp (1:4.2.4p8+dfsg-1) unstable; urgency=high
 .
   * New upstream release.
     - Fixes DoS with mode 7 packets (CVE-2009-3563) (Closes: #560074)
Checksums-Sha1: 
 63a809bf16a46b79ed89637eaf9a549387b56c7b 2101 ntp_4.2.4p8+dfsg-1.dsc
 505f5f0bb9543912ccce1ef2158dacfcae911879 2836606 ntp_4.2.4p8+dfsg.orig.tar.gz
 2d248dd26dab8e1493f558115f35276390c6e7cc 409044 ntp_4.2.4p8+dfsg-1.debian.tar.gz
 04be3d736e795771dc144553cea50b746c520876 930422 ntp-doc_4.2.4p8+dfsg-1_all.deb
 81b8e894318e03bc2cd6f1c9720490bab170ccee 489264 ntp_4.2.4p8+dfsg-1_amd64.deb
 d1011531ad267c5155e1bce3dc35d45f2548a2f9 64784 ntpdate_4.2.4p8+dfsg-1_amd64.deb
Checksums-Sha256: 
 22745c8174b0989272684fa1542d2869ef007aa4f8d62ea13624c5bf8e60989c 2101 ntp_4.2.4p8+dfsg-1.dsc
 d2db861ef53a0b2d252e1ab5406fe12868cdfa7d8dcdbc37ed8f3a764df26208 2836606 ntp_4.2.4p8+dfsg.orig.tar.gz
 95e2901fd1a5ad8b3747ae8d298828fa24368ed2af3397db6421a8abd2b2e8a0 409044 ntp_4.2.4p8+dfsg-1.debian.tar.gz
 4f664a134ba8781152d7da3e0bd20afdcb264653c9e7d1fa9ae93e936b33c125 930422 ntp-doc_4.2.4p8+dfsg-1_all.deb
 3ea19fb2d767f63ef1afa7c3de96afef6d084d4ff4e58c53bc92bb1ca2e55428 489264 ntp_4.2.4p8+dfsg-1_amd64.deb
 aa44accf4e99143fa0097cebf9bcd04c4a10e19373ec28f68d826134f7ccca35 64784 ntpdate_4.2.4p8+dfsg-1_amd64.deb
Files: 
 3acc7db65e333294cd072cfa0f65caa5 2101 net optional ntp_4.2.4p8+dfsg-1.dsc
 81081f690c264695c492b22475879fa5 2836606 net optional ntp_4.2.4p8+dfsg.orig.tar.gz
 9679addbeec0306cae91cced258c6c46 409044 net optional ntp_4.2.4p8+dfsg-1.debian.tar.gz
 1509be4c29c3cff1b78edeb845cb7bbf 930422 doc optional ntp-doc_4.2.4p8+dfsg-1_all.deb
 7dee4d5261a2dc1aa6b992a8f519974c 489264 net optional ntp_4.2.4p8+dfsg-1_amd64.deb
 aabaec4cc1b98f5441024a26352d5ef4 64784 net optional ntpdate_4.2.4p8+dfsg-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJLHtHeAAoJEGpMZM6DE7XwjCEQAKEOYY1UTwuYYRhC+RDGs33u
ePh0YojHUo8fUIg3j+0D4EBP9NcH7DCajVRdzx0iS1KD3IjiEqeGf0An9j27LjGg
5bSpGRBYsL98iIDd8G5HPfiOOBj5qF9ksfeTYDib/hyI1b5HrGPd3BgVHx13dlAn
bB0yuerd1UmpR7jNJVOYPwbr749r3kNUiXQV3gvs/X1Z2MYu/LIOg8VAi4h4nhGv
jpn+vDU9wJOf55JFsiBbyiOfnWDSQS6XvXmjkO3CHnZe4EqZpN+/12sDzGhWdF8H
OdHUCyFALZFEFYAYQyNm9vzQxvGAhSAwil9mPQ2EcS4Ud97BkkIz/tD2iSQCLmFV
xU8wwldSrdd1YLPoF/MLadXELTSIDu5VilWUsQS0cMS2IyduB4J1RXtV2BvuW7DI
0FTR/ia7DeB8Lemhq9PMunod8W+8RskURq5YLPeqrxa9MFQioAW3R5URLpaKIFh7
kpRDlAZtwBkNPl++D5z0p0BmCCLEbiCm+aftvQUUcdjODcXKu98X14TBEVY9wDQY
B+Oq0aL+m7kMzGvSYKpaD2J5k8U00xjkeq7u/De5u/0y31VuoLLi6LQDl5cBP4I6
4qpue3ZIGPt4v7SKFC4218Jslm9fjoNBWe2+zrEZ1WFPfslp7xpX32HmLb+9b5Qw
OaMFOySN9UJC+FO/11Ud
=yNmx
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.