NTP mode7 (MODE_PRIVATE) denial of service (NTP_Mode7_DoS)

About this signature or vulnerability

IBM Security Host Protection for Servers (Unix), Virtual Server Protection for Vmware, Proventia Network IPS, Proventia Server IPS for Linux technology, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Host Protection for Desktops, Proventia Network IDS, RealSecure Server Sensor, IBM Security Host Protection for Servers (Windows):

This event detects repeated NTP Mode 7 error requests and responses sent to a single host (typically between two NTP servers) in a short period of time, which can DoS an NTP server. The interval and count are configurable.


Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

IBM Security Host Protection for Servers (Unix): 2.2.2, Virtual Server Protection for Vmware: XPU 32.020, Proventia Network IPS: XPU 32.020, Proventia Server IPS for Linux technology: 32.020, Proventia-G 1.1 and earlier: XPU 32.020, Proventia Network MFS: XPU 32.020, IBM Security Host Protection for Desktops: 2730, Proventia Network IDS: XPU 32.020, RealSecure Server Sensor: XPU 32.020, IBM Security Host Protection for Servers (Windows): 2.1.14.2730

Systems affected

Gentoo Linux, RedHat Enterprise Linux: 3 WS, RedHat Enterprise Linux: 3 ES, RedHat Enterprise Linux: 3 AS, IBM AIX: 6.1, RedHat Enterprise Linux: 3 Desktop, IBM AIX: 5.3, MandrakeSoft Mandrake Linux Corporate Server: 3.0, RedHat Enterprise Linux: 4 AS, RedHat Enterprise Linux: 4 Desktop, RedHat Enterprise Linux: 4 ES, RedHat Enterprise Linux: 4 WS, MandrakeSoft Mandrake Multi Network Firewall: 2.0, Canonical Ubuntu: 6.06 LTS, MandrakeSoft Mandrake Linux Corporate Server: 4.0, MandrakeSoft Mandrake Linux Corporate Server: 4.0 X86_64, MandrakeSoft Mandrake Linux Corporate Server: 3.0 X86_64, RedHat Enterprise Linux: 5, MandrakeSoft Mandrake Linux: 2008.0 X86_64, Debian Debian Linux: 4.0, HP TCP IP Services OpenVMS: 5.6, HP TCP IP Services OpenVMS: 5.5, RedHat Enterprise Linux: 5 Client, MandrakeSoft Mandrake Linux: 2008.0, VMware ESX Server: 2.5.5, Nortel CS1000: 4.5, Canonical Ubuntu: 8.04 LTS, VMware ESX Server: 3.5, VMware ESX Server: 3.0.3, Mandriva Linux: 2009.0, Mandriva Linux: 2009.0 X86_64, Canonical Ubuntu: 8.10, Debian Debian Linux: 5.0, NTP NTP: 4.2.4p7, Mandriva Linux: 2009.1, Mandriva Linux: 2009.1 X86_64, Avaya CMS: R15, Avaya CMS: R14, Avaya CMS: R14.1, RedHat Enterprise Linux: 4.8.z ES, RedHat Enterprise Linux: 4.8.z AS, VMware ESXi Server: 4.0, VMware ESX Server: 4.0, RedHat Enterprise Linux: 5.4.z EUS, Avaya CMS: R16, VMware vMA: 4.0, HP Tru64: 5.1B-5 (BL28), HP Tru64: 5.1B-4 (BL27), Mandriva Enterprise Server: 5, Mandriva Enterprise Server: 5 X86_64, Mandriva Linux: 2010 X86_64, Mandriva Linux: 2010, Oracle Sun System Firmware: 8.x

Type

Denial of Service

Vulnerability description

NTP is vulnerable to a denial of service, caused by an error when processing mode 7 (MODE_PRIVATE) requests by the ntpdc query and control utility. By sending a sending a specially-crafted mode 7 response packet containing a spoofed source address, an attacker could trigger an endless loop, consuming available CPU resources.

How to remove this vulnerability

Upgrade to the latest version of NTP (4.2.4p8 or later), available from the NTP Web site. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References

NTP Web site
NTP Software Downloads
http://www.ntp.org/downloads.html

NTP Bugzilla
DoS with mode 7 packets (CVE-2009-3563)
https://support.ntp.org/bugs/show_bug.cgi?id=1331

Vulnerability Note VU#568372
NTP mode 7 denial-of-service vulnerability
http://www.kb.cert.org/vuls/id/568372

Nortel Enterprise Response to VU#568372
Potential DoS using ntpd from xntp2
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=985679

ASA-2010-024
A Security Vulnerability in the ntp Daemon (xntpd(1M)) May Lead to a Denial of the Solaris Network Time Protocol(NTP) Service (Sun 275590)
http://support.avaya.com/css/P8/documents/100073364

ASA-2010-024
A Security Vulnerability in the ntp Daemon (xntpd(1M)) May Lead to a Denial of the Solaris Network Time Protocol(NTP) Service (Sun 275590)
http://support.avaya.com/css/P8/documents/100073364

IBM APAR IZ71047
NTP MODE 7 VULNERABILITY IN AIX 5.3 /AIX 6.1
http://www-01.ibm.com/support/docview.wss?uid=isg1IZ71047

IBM APAR IZ68659
NTP MODE 7 VULNERABILITY IN AIX 5.3 /AIX 6.1
http://www-01.ibm.com/support/docview.wss?uid=isg1IZ68659

VMware Security Announcements
VMSA-2010-0004 ESX Service Console and vMA third party updates
http://lists.vmware.com/pipermail/security-announce/2010/000082.html

HP Security Bulletin HPSBOV02497 SSRT090245 rev.1
HP TCP/IP Services for OpenVMS Running NTP, Remote Execution of Arbitrary Code, Denial of Service (DoS)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01961959

VMSA-2010-0009
ESXi utilities and ESX Service Console third party updates
http://lists.vmware.com/pipermail/security-announce/2010/000093.html

HP Security Bulletin HPSBTU02496 SSRT090245
HP Tru64 UNIX Running NTP, Denial of Service (DoS)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01961950

ISS X-Force
NTP mode7 (MODE_PRIVATE) denial of service
http://www.iss.net/security_center/static/54650.php

CVE
CVE-2009-3563
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563