Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2010-005: NTP server Denial of Service vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2010-005
=================================
Topic: NTP server Denial of Service vulnerability
Version: NetBSD-current: affected prior to 2009-12-08
NetBSD 5.0.2: not affected
NetBSD 5.0.1: affected
NetBSD 5.0: affected
NetBSD 4.0.*: affected
NetBSD 4.0: affected
pkgsrc: ntp package prior to 4.2.4p8
Severity: Remote Denial of Service
Fixed: NetBSD-current: Dec 8, 2009
NetBSD-5-0 branch: Dec 8, 2009
NetBSD-5 branch: Dec 8, 2009
NetBSD-4-0 branch: Dec 8, 2009
NetBSD-4 branch: Dec 8, 2009
pkgsrc 2009Q4: ntp-4.2.4p8 corrects this issue
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
A programming error in the handling of NTP MODE_PRIVATE packets
allows a remote attacker to cause a denial of service.
This vulnerability has been assigned CVE-2009-3563 and CERT
Vulnerability Note VU#568372.
Technical Details
=================
ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows
remote attackers to cause a denial of service (CPU and bandwidth
consumption) by using MODE_PRIVATE to send a spoofed (1) request or
(2) response packet that triggers a continuous exchange of
MODE_PRIVATE error responses between two NTP daemons.
Solutions and Workarounds
=========================
As a workaround, disable the NTP service in your system by running the
following commands:
# /etc/rc.d/ntpd stop
# echo ntpd=NO > /etc/rc.conf.d/ntpd
The following instructions describe how to upgrade your ntpd
binaries by updating your source tree and rebuilding and
installing a new version of ntpd:
* NetBSD-current:
Systems running NetBSD-current dated from before 2009-12-08
should be upgraded to NetBSD-current dated 2009-12-09 or later.
The following files/directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
dist/ntp/ntpd/ntp_request.c
To update from CVS, re-build, and re-install ntpd:
# cd src
# cvs update -d -P dist/ntp/ntpd/ntp_request.c
# cd usr.sbin/ntp/ntpd
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 5.*:
Systems running NetBSD 5.* sources dated from before
2009-12-08 should be upgraded from NetBSD 5.* sources dated
2009-12-09 or later.
The following files/directories need to be updated from the
netbsd-5 or netbsd-5-0 branches:
dist/ntp/ntpd/ntp_request.c
To update from CVS, re-build, and re-install ntpd:
# cd src
# cvs update -r <branch_name> -d -P dist/ntp/ntpd/ntp_request.c
# cd usr.sbin/ntp/ntpd
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 4.*:
Systems running NetBSD 4.* sources dated from before
2009-12-08 should be upgraded from NetBSD 4.* sources dated
2009-12-09 or later.
The following files/directories need to be updated from the
netbsd-4 or netbsd-4-0 branches:
dist/ntp/ntpd/ntp_request.c
To update from CVS, re-build, and re-install ntpd:
# cd src
# cvs update -r <branch_name> -d -P dist/ntp/ntpd/ntp_request.c
# cd usr.sbin/ntp/ntpd
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
Dmitri Vinokurov and Robin Park for discovering and reporting the vulnerability,
and Frank Kardel for fixing it in NetBSD.
Revision History
================
2010-04-27 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-005.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2010, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2010-005.txt,v 1.1 2010/04/25 23:25:30 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)
iQIcBAEBAgAGBQJL1flpAAoJEAZJc6xMSnBuHFAP/A+uCEy1p6SUPzA47tn4j1XC
UKctSH0F3KCtIp28HLJdqr5jfFiFlKfN4bQYPVK8cmALW/RHFvf4H+b2WR7Xnrvz
quLpbodMgEA16VRSSZKAR4WPl49znnoJOf3SeWmOcx+tj89/t83VTLJX/mGwxdLo
fOHqmmQe0th7oAqtegpW0RfO3B5/5Zq4zOoZbp3M3NJHDEYD1YY6u9TufLIbQ4k0
l7tRoEevG2sputJKGzlLkR6NGS2r3ZGjnNrmLMBvndI6NieIW/k7NKNJtJz+sPtP
6h8jFdCJjB7Vwf3Dcart1M3Vu3CWJXdlOycYAli8BSSzhFyE6abu5VyiKTSPJbgI
OOaJqLTYR7ZQY0cMYAaUd89MLVX7SF4bzKbYdpflrt2M1SmMY7SnO0vM97X7MplE
Mu+zCqzNnWwHMB1I4SK0jsSu1KH13ZNcZLo+2xcvuWxFQt+zU3uEtuitAYfm9wRY
BZdcihWBbmdaZJyE8wZFtujqqcaEX6cGtEty09SHgRL5VH3XvcuJf/5Ls+jVO1a4
61rd5byxJIM1a32dgamg48qpkE63LRy5GHavn67r391bAoWmUrfHt+9p7z/8IpfZ
KKdnw+R3a1t0BGH/yPcqVVD8oXY/xn80q0rqqqQxgI6ospqPHc3/jDUwnLRRI4Ae
OFFiV8sDaPu1BSURxu1a
=k9Vv
-----END PGP SIGNATURE-----
Home |
Main Index |
Thread Index |
Old Index