Bugzilla – Bug 948963
VUL-0: CVE-2014-9751: ntp,xntp: The read_network_packet function in ntp_io.c in ntpd in NTP 4.x before 4.2.8p1on Linux and OS X doe...
Last modified: 2015-10-06 08:31:33 UTC
The read_network_packet function in ntp_io.c in ntpd in NTP 4.x before 4.2.8p1 on Linux and OS X does not properly determine whether a source IP address is an IPv6 loopback address, which makes it easier for remote attackers to spoof restricted packets, and read or write to the runtime state, by leveraging the ability to reach the ntpd machine's network interface with a packet from the ::1 address. From http://support.ntp.org/bin/view/Main/SecurityNotice#1_can_be_spoofed_on_some_OSes_so ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses can be bypassed. References: Sec 2672 / CVE-2014-9298 / VU#852879 Affects: All NTP4 releases before 4.2.8p1, under at least some versions of MacOS and Linux. *BSD has not been seen to be vulnerable. CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 Date Resolved: Stable (4.2.8p1) 04 Feb 2015 Summary: While available kernels will prevent 127.0.0.1 addresses from "appearing" on non-localhost IPv4 interfaces, some kernels do not offer the same protection for ::1 source addresses on IPv6 interfaces. Since NTP's access control is based on source address and localhost addresses generally have no restrictions, an attacker can send malicious control and configuration packets by spoofing ::1 addresses from the outside. Note Well: This is not really a bug in NTP, it's a problem with some OSes. If you have one of these OSes where ::1 can be spoofed, ALL ::1 -based ACL restrictions on any application can be bypassed! Mitigation: Upgrade to 4.2.8p1, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page Install firewall rules to block packets claiming to come from ::1 from inappropriate network interfaces. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. Upstream commits: summary: http://bk.ntp.org/ntp-stable/?PAGE=search&EXPR=[Sec+2672]&SEARCH=ChangeSet+comments ChangeSet 1.3292.3.2 [Sec 2672] Code cleanup: On some OSes ::1 can be spoofed... ChangeSet 1.3268 [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs ChangeSet 1.3259 [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs: debug output tweaking ChangeSet 1.3255 [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=54922b65gDSbE4G7c3JjkuK1Tv33qQ http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5492d2879rotbnnuVch_ZC3RAfS8AA http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5496213frLaEz5PHLZVhuYjM7Lalkw http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=54c2228bpOp4_zrX9aGXdMEZJEGzkg References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9751 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9751 http://bugs.ntp.org/show_bug.cgi?id=2672 http://support.ntp.org/bin/view/Main/SecurityNotice#1_can_be_spoofed_on_some_OSes_so
We already fixed this when it was still known as CVE-2014-9298.
Resolving as duplicate *** This bug has been marked as a duplicate of bug 911792 ***