6.4
CVSSv2

CVE-2009-3563

Published: 09/12/2009 Updated: 19/09/2017
CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10
VMScore: 680
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P

Vulnerability Summary

ntp_request.c in ntpd in NTP prior to 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons.

Affected Products

Vendor Product Versions
NtpNtp4.0.72, 4.0.73, 4.0.90, 4.0.91, 4.0.92, 4.0.93, 4.0.94, 4.0.95, 4.0.96, 4.0.97, 4.0.98, 4.0.99, 4.1.0, 4.1.2, 4.2.0, 4.2.2, 4.2.2p1, 4.2.2p2, 4.2.2p3, 4.2.2p4, 4.2.5

Vendor Advisories

Debian Bug report logs - #560074 ntp: CVE-2009-3563 DoS through mode 7 packets Package: ntp; Maintainer for ntp is Debian NTP Team <ntp@packagesdebianorg>; Source for ntp is src:ntp (PTS, buildd, popcon) Reported by: Nico Golde <nion@debianorg> Date: Tue, 8 Dec 2009 18:54:02 UTC Severity: grave Tags: security F ...
Robin Park and Dmitri Vinokurov discovered a logic error in ntpd A remote attacker could send a crafted NTP mode 7 packet with a spoofed IP address of an affected server and cause a denial of service via CPU and disk resource consumption ...
Robin Park and Dmitri Vinokurov discovered that the daemon component of the ntp package, a reference implementation of the NTP protocol, is not properly reacting to certain incoming packets An unexpected NTP mode 7 packet (MODE_PRIVATE) with spoofed IP data can lead ntpd to reply with a mode 7 response to the spoofed address This may result in th ...
The Network Time Protocol (NTP) package contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition The vulnerability is due to an error in handling certain malformed messages  An unauthenticated, remote attacker could send a malicious NTP packet with a spoofed source IP address to a ...
Several vulnerabilities have been discovered in chrony, a pair of programs which are used to maintain the accuracy of the system clock on a computer This issues are similar to the NTP security flaw CVE-2009-3563 The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0292 chronyd replies to all cmdmon packe ...
VMware ESX 400 without patches ESX400-201002404-SG, ESX400-201002407-SG, ESX400-201002406-SG, ESX400-201005403-SG, ESX400-201005404-SG ...

Metasploit Modules

NTP.org ntpd Reserved Mode Denial of Service

This module exploits a denial of service vulnerability within the NTP (network time protocol) demon. By sending a single packet to a vulnerable ntpd server (Victim A), spoofed from the IP address of another vulnerable ntpd server (Victim B), both victims will enter an infinite response loop. Note, unless you control the spoofed source host or the real remote host(s), you will not be able to halt the DoS condition once begun!

msf > use auxiliary/dos/ntp/ntpd_reserved_dos
      msf auxiliary(ntpd_reserved_dos) > show actions
            ...actions...
      msf auxiliary(ntpd_reserved_dos) > set ACTION <action-name>
      msf auxiliary(ntpd_reserved_dos) > show options
            ...show and set options...
      msf auxiliary(ntpd_reserved_dos) > run

Github Repositories

References

NVD-CWE-Otherftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2010-005.txt.aschttp://aix.software.ibm.com/aix/efixes/security/xntpd_advisory.aschttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560074http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10691http://lists.vmware.com/pipermail/security-announce/2010/000082.htmlhttp://marc.info/?l=bugtraq&m=130168580504508&w=2http://marc.info/?l=bugtraq&m=136482797910018&w=2http://secunia.com/advisories/37629http://secunia.com/advisories/37922http://secunia.com/advisories/38764http://secunia.com/advisories/38794http://secunia.com/advisories/38832http://secunia.com/advisories/38834http://secunia.com/advisories/39593http://security-tracker.debian.org/tracker/CVE-2009-3563http://securitytracker.com/id?1023298http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021781.1-1http://support.avaya.com/css/P8/documents/100071808http://support.ntp.org/bin/view/Main/SecurityNotice#DoS_attack_from_certain_NTP_modehttp://www-01.ibm.com/support/docview.wss?uid=isg1IZ68659http://www-01.ibm.com/support/docview.wss?uid=isg1IZ71047http://www.debian.org/security/2009/dsa-1948http://www.kb.cert.org/vuls/id/568372http://www.kb.cert.org/vuls/id/MAPG-7X7V6Jhttp://www.kb.cert.org/vuls/id/MAPG-7X7VD7http://www.securityfocus.com/bid/37255http://www.vupen.com/english/advisories/2010/0510http://www.vupen.com/english/advisories/2010/0528http://www.vupen.com/english/advisories/2010/0993https://bugzilla.redhat.com/show_bug.cgi?id=531213https://lists.ntp.org/pipermail/announce/2009-December/000086.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11225https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12141https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19376https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7076https://rhn.redhat.com/errata/RHSA-2009-1648.htmlhttps://rhn.redhat.com/errata/RHSA-2009-1651.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0095.htmlhttps://support.ntp.org/bugs/show_bug.cgi?id=1331https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00763.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-December/msg00809.htmlhttps://github.com/OpenSecurityResearch/pentest-scriptshttps://www.rapid7.com/db/vulnerabilities/vmsa-2010-0004-2-vma-and-service-console-package-ntp-cve-2009-3563https://usn.ubuntu.com/867-1/https://nvd.nist.govhttps://www.kb.cert.org/vuls/id/568372