Network Time Protocol Control Mode Unauthenticated Trap Information Disclosure and DDoS Amplification Vulnerability


Summary


An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. A specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, preventing legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability.


Tested Versions


NTP 4.2.8p3NTP 4.2.8p8NTPsec 0.9.1NTPsec 0.9.3


Product URLs


http://www.ntp.orghttp://www.ntpsec.org/


CVSS Scores


CVSSv2: 6.4 - (AV:N/AC:L/Au:N/C:P/I:P/A:N)CVSSv3: 6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N


Details


ntpd provides a trap functionality that sends asynchronous notifications to a number of trap receivers whenever an event of interest occurs. Example events of interest include: association mobilization and demobilization, authentication failures, reachability changes, etc.


Since at least ntp-4.0.94 (July 21, 1999), ntpd has allowed traps to be configured via control (mode 6) and private (mode 7) NTP modes. Though private mode requires messages modifying trap settings to be be authenticated, control mode allows unauthenticated packets to modify trap settings using the SETTRAP and UNSETTRAP control messages.


This vulnerability can be used to achieve several goals:



  • Time Shifting: If an attacker controls a host that is allowed to receive traps (i.e. not restricted by restrict noquery or restrict notrap), the attacker can instruct a victim ntpd instance to send traps to the attacker's host. Whenever a reportable event occurs for some peer, the victim ntpd will send a trap to the attacker leaking all the peer variables associated with that peer. The information leaked includes the peer's org and rec variables allowing the attacker to bypass TEST2 ..

    Support the originator by clicking the read the rest link below.