NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p18 was released on 25 May 2024 and addresses 40 bugs and provides 40 improvements.

Please see the NTP 4.2.8p18 Changelog for details.

Bug 2672 - ::1 can be spoofed. ACLs based on source IP can be bypassed
Summary: ::1 can be spoofed. ACLs based on source IP can be bypassed
Status: RESOLVED FIXED
Alias: None
Product: ntp
Classification: Unclassified
Component: ntpd (show other bugs)
Version: 4.2.6
Hardware: N/A All
: P2 critical
Assignee: Harlan Stenn
URL:
Depends on:
Blocks: 2655
  Show dependency tree
 
Reported: 2014-11-03 00:43 UTC by Harlan Stenn
Modified: 2023-06-19 14:49 UTC (History)
8 users (show)

See Also:
stenn: blocking4.2.6+
stenn: blocking4.2.8+

Attachments
Patch from Brian Utterback (978 bytes, application/octet-stream)
2014-12-20 08:06 UTC, Harlan Stenn 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Harlan Stenn 2014-11-03 00:43:25 UTC 
+++ This bug was initially created as a clone of Bug #2655 +++

8) Restrictions based on source IP can be bypassed

 fix: not sure if this is an issue that can be fixed reliably. Also
there are other access restrictions in place (symmetric keys). Checking
the source interface for "::1" packets could raise the bar.
Comment 1 Harlan Stenn 2014-12-15 23:19:22 UTC 
Will it work to make sure that if we get a srcaddr/sockaddr of ::1 that the corresponding XXX.ifr_flags & IFF_LOOPBACK is "true"?
Comment 2 Danny Mayer 2014-12-16 15:35:18 UTC 
(In reply to comment #1)
> Will it work to make sure that if we get a srcaddr/sockaddr of ::1 that the
> corresponding XXX.ifr_flags & IFF_LOOPBACK is "true"?

There's actually a simpler way to check. The packet cannot come in on the loopback address since it has to come in from the outside. So the compare is to check if the source address and the destination address are the same. I wouldn't want to depend on the flags.
Comment 3 Harlan Stenn 2014-12-18 01:08:34 UTC 
I have a potential fix for this in my repo.
Comment 4 Harlan Stenn 2014-12-20 08:06:19 UTC 
Created attachment 1164 [details]
Patch from Brian Utterback
Comment 5 Harlan Stenn 2015-01-25 02:06:34 UTC 
Fixed in 4.2.8p1.
Comment 6 JGhosh 2015-10-28 10:33:48 UTC 
Hi Harlan,

Myself JGhosh, an open source developer, working on NTP cherry pick integration
from specific Bug 2672 into a FreeBSD private repo.

Would you please kindly confirm the final Bug 2672 Changelist as inline, since
myself manually cherry-picking the commits from github into
FreeBSD private repository, need your kind help on the same.


Thanks in advance.

Reference:

https://github.com/ntp-project/ntp/blob/stable/ChangeLog


$ git log --grep="Sec 2672"
commit e3b048acc50689de3069ff09c272108902d82566
Author:  <stenn@psp-fb1.ntp.org>
Date:   Fri Jan 23 10:29:31 2015 +0000

    [Sec 2672] Code cleanup: On some OSes ::1 can be spoofed...

commit 2fb392987ee930becfec6d8843ce96ba9b465dec
Author:  <stenn@psp-deb1.ntp.org>
Date:   Sun Dec 21 01:24:15 2014 +0000

    [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs

commit 9ebcc199749f89056cf0c5acb82bc5256395102c
Author:  <stenn@deacon.udel.edu>
Date:   Fri Dec 19 04:43:15 2014 -0500

    Disable Sec 2672 interim fix for now

commit 96e106df5925c7d4c51b73b2f03ac403e8e1beb2
Author:  <stenn@psp-deb1.ntp.org>
Date:   Thu Dec 18 13:11:35 2014 +0000

    [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs: debug output tweaking

commit 96c37aa51d3033a4b552de3c31d0fc1cc66d1f9b
Author:  <stenn@psp-deb1.ntp.org>
Date:   Thu Dec 18 01:18:29 2014 +0000

    [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs




$ git log --stat -p e3b048acc50689de3069ff09c272108902d82566
Author:  <stenn@psp-fb1.ntp.org>
Date:   Fri Jan 23 10:29:31 2015 +0000

    [Sec 2672] Code cleanup: On some OSes ::1 can be spoofed...
---
 ChangeLog     |  1 +
 ntpd/ntp_io.c | 22 ++++++++++------------
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index a115442..32b7b34 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 ---
 
 * [Bug 2617] Fix sntp Usage documentation section.
+* [Sec 2672] Code cleanup: On some OSes ::1 can be spoofed...
 ---
 (4.2.8p1-beta5) 2015/01/07 Released by Harlan Stenn <stenn@ntp.org>
 
diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
index f01088d..1ee7098 100644
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3482,26 +3482,24 @@ read_network_packet(
        ** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1
        */
 
-       // temporary hack...
        if (AF_INET6 == itf->family) {
-               DPRINTF(1, ("Got an IPv6 packet, from <%s> (%d) to <%s> (%d)\n",
+               DPRINTF(2, ("Got an IPv6 packet, from <%s> (%d) to <%s> (%d)\n",
                        stoa(&rb->recv_srcadr),
                        IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr)),
                        stoa(&itf->sin),
                        !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin))
                        ));
-       }
 
-       if (   AF_INET6 == itf->family
-           && IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr))
-           && !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin))
-          ) {
-               packets_dropped++;
-               DPRINTF(1, ("DROPPING that packet\n"));
-               freerecvbuf(rb);
-               return buflen;
+               if (   IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr))
+                   && !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin))
+                  ) {
+                       packets_dropped++;
+                       DPRINTF(2, ("DROPPING that packet\n"));
+                       freerecvbuf(rb);
+                       return buflen;
+               }
+               DPRINTF(2, ("processing that packet\n"));
        }
-       DPRINTF(1, ("processing that packet\n"));
 
        /*
         * Got one.  Mark how and when it got here,





$ git log --stat -p 2fb392987ee930becfec6d8843ce96ba9b465dec
commit 2fb392987ee930becfec6d8843ce96ba9b465dec
Author:  <stenn@psp-deb1.ntp.org>
Date:   Sun Dec 21 01:24:15 2014 +0000

    [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs
---
 ChangeLog     |  1 +
 ntpd/ntp_io.c | 10 ++++------
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 4d2ea91..4e31309 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+* [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs.
 ---
 (4.2.8) 2014/12/19 Released by Harlan Stenn <stenn@ntp.org>
 
diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
index ae00e55..d771cf5 100644
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3450,19 +3450,18 @@ read_network_packet(
        */
 
        // temporary hack...
-#ifndef HAVE_SOLARIS_PRIVS
        if (AF_INET6 == itf->family) {
                DPRINTF(1, ("Got an IPv6 packet, from <%s> (%d) to <%s> (%d)\n",
                        stoa(&rb->recv_srcadr),
-                       IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr),
+                       IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr.sa6.sin6_addr),
                        stoa(&itf->sin),
-                       !IN6_IS_ADDR_LOOPBACK(&itf->sin)
+                       !IN6_IS_ADDR_LOOPBACK(&itf->sin.sa6.sin6_addr)
                        ));
        }
 
        if (   AF_INET6 == itf->family
-           && IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr)
-           && !IN6_IS_ADDR_LOOPBACK(&itf->sin)
+           && IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr.sa6.sin6_addr)
+           && !IN6_IS_ADDR_LOOPBACK(&itf->sin.sa6.sin6_addr)
           ) {
                packets_dropped++;
                DPRINTF(1, ("DROPPING that packet\n"));
@@ -3470,7 +3469,6 @@ read_network_packet(
                return buflen;
        }
        DPRINTF(1, ("processing that packet\n"));
-#endif
 
        /*
         * Got one.  Mark how and when it got here,






$ git log --stat -p 9ebcc199749f89056cf0c5acb82bc5256395102c
commit 9ebcc199749f89056cf0c5acb82bc5256395102c
Author:  <stenn@deacon.udel.edu>
Date:   Fri Dec 19 04:43:15 2014 -0500

    Disable Sec 2672 interim fix for now
---
 ntpd/ntp_io.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
index 8be7247..ae00e55 100644
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3449,6 +3449,8 @@ read_network_packet(
        ** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1
        */
 
+       // temporary hack...
+#ifndef HAVE_SOLARIS_PRIVS
        if (AF_INET6 == itf->family) {
                DPRINTF(1, ("Got an IPv6 packet, from <%s> (%d) to <%s> (%d)\n",
                        stoa(&rb->recv_srcadr),
@@ -3468,6 +3470,7 @@ read_network_packet(
                return buflen;
        }
        DPRINTF(1, ("processing that packet\n"));
+#endif
 
        /*
         * Got one.  Mark how and when it got here,
         
         
         
         

commit 96e106df5925c7d4c51b73b2f03ac403e8e1beb2
Author:  <stenn@psp-deb1.ntp.org>
Date:   Thu Dec 18 13:11:35 2014 +0000

    [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs: debug output tweaking
---
 ntpd/ntp_io.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
index aa415cc..8be7247 100644
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3450,8 +3450,12 @@ read_network_packet(
        */
 
        if (AF_INET6 == itf->family) {
-               DPRINTF(1, ("Got an IPv6 packet, from <%s> to <%s>\n",
-                       stoa(&rb->recv_srcadr), stoa(&itf->sin)));
+               DPRINTF(1, ("Got an IPv6 packet, from <%s> (%d) to <%s> (%d)\n",
+                       stoa(&rb->recv_srcadr),
+                       IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr),
+                       stoa(&itf->sin),
+                       !IN6_IS_ADDR_LOOPBACK(&itf->sin)
+                       ));
        }
 
        if (   AF_INET6 == itf->family




         
         
         
         
$ git log --stat -p 96c37aa51d3033a4b552de3c31d0fc1cc66d1f9b
commit 96c37aa51d3033a4b552de3c31d0fc1cc66d1f9b
Author:  <stenn@psp-deb1.ntp.org>
Date:   Thu Dec 18 01:18:29 2014 +0000

    [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs
---
 ChangeLog     |  1 +
 ntpd/ntp_io.c | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index f3765a5..de19386 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,7 @@
 * [Sec 2668] buffer overflow in ctl_putdata().
 * [Sec 2669] buffer overflow in configure().
 * [Sec 2670] Missing return; from error clause.
+* [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs.
 (4.2.7p485-RC) 2014/12/12 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 2686] refclock_gpsdjson needs strtoll(), which is not always present.
 (4.2.7p484-RC) 2014/12/11 Released by Harlan Stenn <stenn@ntp.org>
diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
index eb61ead..aa415cc 100644
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3446,6 +3446,26 @@ read_network_packet(
                    fd, buflen, stoa(&rb->recv_srcadr)));
 
        /*
+       ** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1
+       */
+
+       if (AF_INET6 == itf->family) {
+               DPRINTF(1, ("Got an IPv6 packet, from <%s> to <%s>\n",
+                       stoa(&rb->recv_srcadr), stoa(&itf->sin)));
+       }
+
+       if (   AF_INET6 == itf->family
+           && IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr)
+           && !IN6_IS_ADDR_LOOPBACK(&itf->sin)
+          ) {
+               packets_dropped++;
+               DPRINTF(1, ("DROPPING that packet\n"));
+               freerecvbuf(rb);
+               return buflen;
+       }
+       DPRINTF(1, ("processing that packet\n"));
+
+       /*
         * Got one.  Mark how and when it got here,
         * put it on the full list and do bookkeeping.
         */
Comment 7 Danny Mayer 2015-10-28 17:27:28 UTC 
This code was put into NTP because a number of Operating Systems were not checking that a source address of ::1 can only come in on the loopback interface. This code is a workaround for something that should have been in the O/S kernal. You should be checking the kernel to make sure that the situation cannot happen in FreeBSD rather than worrying about this fix.

Danny