NetBSD Security Advisory 2010-005: NTP server Denial of Service vulnerability

[NetBSD Security Officer <security-officer%NetBSD.org@localhost>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                 NetBSD Security Advisory 2010-005
                 =================================

Topic:          NTP server Denial of Service vulnerability


Version:        NetBSD-current:         affected prior to 2009-12-08
                NetBSD 5.0.2:           not affected
                NetBSD 5.0.1:           affected
                NetBSD 5.0:             affected
                NetBSD 4.0.*:           affected
                NetBSD 4.0:             affected
                pkgsrc:                 ntp package prior to 4.2.4p8


Severity:       Remote Denial of Service


Fixed:          NetBSD-current:         Dec 8, 2009
                NetBSD-5-0 branch:      Dec 8, 2009
                NetBSD-5 branch:        Dec 8, 2009
                NetBSD-4-0 branch:      Dec 8, 2009
                NetBSD-4 branch:        Dec 8, 2009
                pkgsrc 2009Q4:          ntp-4.2.4p8 corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.



Abstract
========

A programming error in the handling of NTP MODE_PRIVATE packets
allows a remote attacker to cause a denial of service.

This vulnerability has been assigned CVE-2009-3563 and CERT
Vulnerability Note VU#568372.


Technical Details
=================

ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows
remote attackers to cause a denial of service (CPU and bandwidth
consumption) by using MODE_PRIVATE to send a spoofed (1) request or
(2) response packet that triggers a continuous exchange of
MODE_PRIVATE error responses between two NTP daemons.


Solutions and Workarounds
=========================

As a workaround, disable the NTP service in your system by running the
following commands:

        # /etc/rc.d/ntpd stop
        # echo ntpd=NO > /etc/rc.conf.d/ntpd

The following instructions describe how to upgrade your ntpd
binaries by updating your source tree and rebuilding and
installing a new version of ntpd:

* NetBSD-current:

        Systems running NetBSD-current dated from before 2009-12-08
        should be upgraded to NetBSD-current dated 2009-12-09 or later.

        The following files/directories need to be updated from the
        netbsd-current CVS branch (aka HEAD):
                dist/ntp/ntpd/ntp_request.c

        To update from CVS, re-build, and re-install ntpd:
                # cd src
                # cvs update -d -P dist/ntp/ntpd/ntp_request.c
                # cd usr.sbin/ntp/ntpd
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install

* NetBSD 5.*:

        Systems running NetBSD 5.* sources dated from before
        2009-12-08 should be upgraded from NetBSD 5.* sources dated
        2009-12-09 or later.

        The following files/directories need to be updated from the
        netbsd-5 or netbsd-5-0 branches:
                dist/ntp/ntpd/ntp_request.c

        To update from CVS, re-build, and re-install ntpd:

                # cd src
                # cvs update -r <branch_name> -d -P dist/ntp/ntpd/ntp_request.c
                # cd usr.sbin/ntp/ntpd
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install

* NetBSD 4.*:

        Systems running NetBSD 4.* sources dated from before
        2009-12-08 should be upgraded from NetBSD 4.* sources dated
        2009-12-09 or later.

        The following files/directories need to be updated from the
        netbsd-4 or netbsd-4-0 branches:
                dist/ntp/ntpd/ntp_request.c

        To update from CVS, re-build, and re-install ntpd:

                # cd src
                # cvs update -r <branch_name> -d -P dist/ntp/ntpd/ntp_request.c
                # cd usr.sbin/ntp/ntpd
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install


Thanks To
=========

Dmitri Vinokurov and Robin Park for discovering and reporting the vulnerability,
and Frank Kardel for fixing it in NetBSD.


Revision History
================

        2010-04-27      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-005.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .

Copyright 2010, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2010-005.txt,v 1.1 2010/04/25 23:25:30 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)

iQIcBAEBAgAGBQJL1flpAAoJEAZJc6xMSnBuHFAP/A+uCEy1p6SUPzA47tn4j1XC
UKctSH0F3KCtIp28HLJdqr5jfFiFlKfN4bQYPVK8cmALW/RHFvf4H+b2WR7Xnrvz
quLpbodMgEA16VRSSZKAR4WPl49znnoJOf3SeWmOcx+tj89/t83VTLJX/mGwxdLo
fOHqmmQe0th7oAqtegpW0RfO3B5/5Zq4zOoZbp3M3NJHDEYD1YY6u9TufLIbQ4k0
l7tRoEevG2sputJKGzlLkR6NGS2r3ZGjnNrmLMBvndI6NieIW/k7NKNJtJz+sPtP
6h8jFdCJjB7Vwf3Dcart1M3Vu3CWJXdlOycYAli8BSSzhFyE6abu5VyiKTSPJbgI
OOaJqLTYR7ZQY0cMYAaUd89MLVX7SF4bzKbYdpflrt2M1SmMY7SnO0vM97X7MplE
Mu+zCqzNnWwHMB1I4SK0jsSu1KH13ZNcZLo+2xcvuWxFQt+zU3uEtuitAYfm9wRY
BZdcihWBbmdaZJyE8wZFtujqqcaEX6cGtEty09SHgRL5VH3XvcuJf/5Ls+jVO1a4
61rd5byxJIM1a32dgamg48qpkE63LRy5GHavn67r391bAoWmUrfHt+9p7z/8IpfZ
KKdnw+R3a1t0BGH/yPcqVVD8oXY/xn80q0rqqqQxgI6ospqPHc3/jDUwnLRRI4Ae
OFFiV8sDaPu1BSURxu1a
=k9Vv
-----END PGP SIGNATURE-----