2779 – ntpd accepts unauthenticated packets with symmetric key crypto

NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p18 was released on 25 May 2024 and addresses 40 bugs and provides 40 improvements.

Please see the NTP 4.2.8p18 Changelog for details.

Bug 2779 - ntpd accepts unauthenticated packets with symmetric key crypto

Summary: ntpd accepts unauthenticated packets with symmetric key crypto

Status:	VERIFIED FIXED

Alias:	None

Product:	ntp
Classification:	Unclassified
Component:	ntpd (show other bugs)
Version:	4.2.8
Hardware:	PC Linux

Importance:	P2 major
Assignee:	Harlan Stenn

URL:

Depends on:
Blocks:	2781
	Show dependency tree

Reported:	2015-03-04 09:31 UTC by Miroslav Lichvar
Modified:	2023-07-13 17:44 UTC (History)
CC List:	3 users (show)

See Also:

Flags:	stenn: blocking4.2.8+

Attachments
Proposed patch to reject packets without MAC when authentication is enabled (1.21 KB, patch) 2015-03-06 09:18 UTC, Miroslav Lichvar	stenn: patchReview?	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Miroslav Lichvar 2015-03-04 09:31:34 UTC

test

Comment 1 Harlan Stenn 2015-03-04 09:40:20 UTC

Miroslav,

I've restricted this bug to the Security team.

It *should* be non-public now.  You will still see it because you opened it.
I'll check now to see if other users can see it.

Comment 2 Harlan Stenn 2015-03-04 09:48:20 UTC

Adding security@ntp.org to the Cc: list after removing bugs@ntp.org

Comment 3 Miroslav Lichvar 2015-03-06 09:11:56 UTC

When ntpd is configured to use a symmetric key with an NTP server/peer, it checks if the NTP message authentication code (MAC) in received packets is valid, but not if there actually is any MAC included. Packets without MAC are accepted as if they had a valid MAC. This allows a MITM attacker to send false packets that are accepted by the client/peer without having to know the symmetric key.

It seems this bug was introduced in 4.2.5p99 and is in all later stable versions up to 4.2.8p1. Authentication using autokey doesn't have this problem as there is a check that requires the key ID to be larger than NTP_MAXKEY, which fails for packets without MAC.

Comment 4 Miroslav Lichvar 2015-03-06 09:18:38 UTC

Created attachment 1209 [details]
Proposed patch to reject packets without MAC when authentication is enabled

Comment 5 Harlan Stenn 2015-03-11 02:54:09 UTC

In an email to me, Miroslav added:

The attacker needs to know the transmit timestamp of the client to match it in the forged reply and the false reply needs to reach the client before the genuine reply from the server. The attacker doesn't necessarily need to be
relaying the packets between the client and the server.

Comment 6 Harlan Stenn 2015-04-07 09:34:26 UTC

Miroslav,

Thanks for the report and patch.

Please check 4.2.8p2 or 4.3.14 and mark this bug as VERIFIED or IN_PROGRESS, as appropriate.