[ASA-201803-11] ntp: multiple issues

Remi Gacogne rgacogne at archlinux.org
Sun Mar 18 21:10:19 UTC 2018

Arch Linux Security Advisory ASA-201803-11

Severity: High
Date    : 2018-03-16
CVE-ID  : CVE-2016-1549 CVE-2018-7170 CVE-2018-7182 CVE-2018-7183
          CVE-2018-7184 CVE-2018-7185
Package : ntp
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-647


The package ntp before version 4.2.8.p11-1 is vulnerable to multiple
issues including arbitrary code execution, content spoofing and denial
of service.


Upgrade to 4.2.8.p11-1.

# pacman -Syu "ntp>=4.2.8.p11-1"

The problems have been fixed upstream in version 4.2.8.p11.




- CVE-2016-1549 (content spoofing)

A malicious authenticated peer can create arbitrarily-many ephemeral
associations in order to win the clock selection algorithm in ntpd in
NTP 4.2.8p4 and earlier and NTPsec
3e160db8dc248a0bcb053b56a80167dc742d2b74 and
a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim's clock.

- CVE-2018-7170 (content spoofing)

ntpd can be vulnerable to Sybil attacks. If a system is set up to use a
trustedkey and if one is not using the feature introduced in
ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to
specify which IPs can serve time, a malicious authenticated peer --
i.e. one where the attacker knows the private symmetric key -- can
create arbitrarily-many ephemeral associations in order to win the
clock selection of ntpd and modify a victim's clock.

- CVE-2018-7182 (denial of service)

ctl_getitem() is used by ntpd to process incoming mode 6 packets. A
malicious mode 6 packet can be sent to an ntpd instance, and if the
ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will cause
ctl_getitem() to read past the end of its buffer.

- CVE-2018-7183 (arbitrary code execution)

ntpq is a monitoring and control program for ntpd. decodearr() is an
internal function of ntpq that is used to -- wait for it -- decode an
array in a response string when formatted data is being displayed. This
is a problem in affected versions of ntpq if a maliciously-altered ntpd
returns an array result that will trip this bug, or if a bad actor is
able to read an ntpq request on its way to a remote ntpd server and
forge and send a response before the remote ntpd sends its response.
It's potentially possible that the malicious data could become
injectable/executable code.

- CVE-2018-7184 (denial of service)

The fix for NtpBug2952 was incomplete, and while it fixed one problem
it created another. Specifically, it drops bad packets before updating
the "received" timestamp. This means a third-party can inject a packet
with a zero-origin timestamp, meaning the sender wants to reset the
association, and the transmit timestamp in this bogus packet will be
saved as the most recent "received" timestamp. The real remote peer
does not know this value and this will disrupt the association until
the association resets.

- CVE-2018-7185 (denial of service)

The NTP Protocol allows for both non-authenticated and authenticated
associations, in client/server, symmetric (peer), and several broadcast
modes. In addition to the basic NTP operational modes, symmetric mode
and broadcast servers can support an interleaved mode of operation. In
ntp-4.2.8p4 a bug was inadvertently introduced into the protocol engine
that allows a non-authenticated zero-origin (reset) packet to reset an
authenticated interleaved peer association. If an attacker can send a
packet with a zero-origin timestamp and the source IP address of the
"other side" of an interleaved association, the 'victim' ntpd will
reset its association. The attacker must continue sending these packets
in order to maintain the disruption of the association. In ntp-4.0.0
thru ntp-4.2.8p6, interleave mode could be entered dynamically. As of
ntp-4.2.8p7, interleaved mode must be explicitly configured/enabled.


A remote, non-authenticated peer can cause a denial of service,
preventing the vulnerable host from getting a correct time. In addition
to that, a remote, authenticated peer can spoof the correct time,
causing the vulnerable host to update its clock with an invalid time.
A malicious NTPd server, or an attacker in position of man-in-the-
middle might be able to execute arbitrary code on the affected host by
forging a response to an ntpq request.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20180318/91301cfd/attachment.asc>

More information about the arch-security mailing list