Bug#560074: ntp: CVE-2009-3563 DoS through mode 7 packets

Tue, 08 Dec 2009 13:11:07 -0800 

Package: ntp
Version: 1:4.2.4p6+dfsg-2
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu karmic ubuntu-patch

In Ubuntu, we've applied the attached patch to achieve the following:

  * SECURITY UPDATE: fix DoS with mode 7 (MODE_PRIVATE) packets
    - debian/patches/CVE-2009-3563.patch: update ntpd/ntp_request.c to
      not send a response packet for and rate limit logging of invalid mode 7
      requests and responses
    - CVE-2009-3563

We thought you might be interested in doing the same. Here are a couple
more references:
https://support.ntp.org/bugs/show_bug.cgi?id=1331
http://support.ntp.org/bin/view/Main/SecurityNotice#DoS_attack_from_certain_NTP_mode

The attached patch should work fine going back to etch as well (with a
little fuzz), as we used it as far back as ntp-4.2.0a+stable.

Jamie

-- System Information:
Debian Release: squeeze/sid
  APT prefers karmic-updates
  APT policy: (500, 'karmic-updates'), (500, 'karmic-security'), (500, 'karmic')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-15-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -u ntp-4.2.4p6+dfsg/debian/changelog ntp-4.2.4p6+dfsg/debian/changelog
diff -u ntp-4.2.4p6+dfsg/debian/patches/series ntp-4.2.4p6+dfsg/debian/patches/series
--- ntp-4.2.4p6+dfsg/debian/patches/series
+++ ntp-4.2.4p6+dfsg/debian/patches/series
@@ -15,0 +16 @@
+CVE-2009-3563.patch
only in patch2:
unchanged:
--- ntp-4.2.4p6+dfsg.orig/debian/patches/CVE-2009-3563.patch
+++ ntp-4.2.4p6+dfsg/debian/patches/CVE-2009-3563.patch
@@ -0,0 +1,31 @@
+Description: DoS with mode 7 packets - CVE-2009-3563
+Origin: CERT VU#568372
+
+diff -Nur ntp-4.2.4p6+dfsg/ntpd/ntp_request.c ntp-4.2.4p6+dfsg.new/ntpd/ntp_request.c
+--- ntp-4.2.4p6+dfsg/ntpd/ntp_request.c	2008-08-10 06:02:41.000000000 -0500
++++ ntp-4.2.4p6+dfsg.new/ntpd/ntp_request.c	2009-12-03 14:15:58.943054585 -0600
+@@ -409,6 +409,7 @@
+ 	int mod_okay
+ 	)
+ {
++	static u_long quiet_until;
+ 	struct req_pkt *inpkt;
+ 	struct req_pkt_tail *tailinpkt;
+ 	struct sockaddr_storage *srcadr;
+@@ -444,8 +445,14 @@
+ 	    || (++ec, INFO_MBZ(inpkt->mbz_itemsize) != 0)
+ 	    || (++ec, rbufp->recv_length < REQ_LEN_HDR)
+ 		) {
+-		msyslog(LOG_ERR, "process_private: INFO_ERR_FMT: test %d failed, pkt from %s", ec, stoa(srcadr));
+-		req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
++		NLOG(NLOG_SYSEVENT)
++			if (current_time >= quiet_until) {
++				msyslog(LOG_ERR,
++					"process_private: drop test %d"
++					" failed, pkt from %s",
++					ec, stoa(srcadr));
++				quiet_until = current_time + 60;
++			}
+ 		return;
+ 	}
+

Reply via email to