MediumIBM Security Host Protection for Desktops, Proventia Network IDS, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Host Protection for Servers (Windows), IBM Security Host Protection for Servers (Unix), Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This event detects repeated NTP Mode 7 error requests and responses sent to a single host (typically between two NTP servers) in a short period of time, which can DoS an NTP server. The interval and count are configurable.
Medium
IBM Security Host Protection for Desktops: 2730, Proventia Network IDS: XPU 32.020, Proventia Network IPS: XPU 32.020, RealSecure Network: XPU 32.020, RealSecure Server Sensor: XPU 32.020, Proventia-G 1.1 and earlier: XPU 32.020, Proventia Network MFS: XPU 32.020, IBM Security Host Protection for Servers (Windows): 2.1.14.2730, IBM Security Host Protection for Servers (Unix): 2.2.2, Proventia Server IPS for Linux technology: 32.020, Virtual Server Protection for Vmware: XPU 32.020
Gentoo Linux, RedHat Enterprise Linux: 3 WS, RedHat Enterprise Linux: 3 ES, RedHat Enterprise Linux: 3 AS, IBM AIX: 6.1, RedHat Enterprise Linux: 3 Desktop, IBM AIX: 5.3, MandrakeSoft Mandrake Linux Corporate Server: 3.0, RedHat Enterprise Linux: 4 AS, RedHat Enterprise Linux: 4 Desktop, RedHat Enterprise Linux: 4 ES, RedHat Enterprise Linux: 4 WS, MandrakeSoft Mandrake Multi Network Firewall: 2.0, Canonical Ubuntu: 6.06 LTS, MandrakeSoft Mandrake Linux Corporate Server: 4.0, MandrakeSoft Mandrake Linux Corporate Server: 4.0 X86_64, MandrakeSoft Mandrake Linux Corporate Server: 3.0 X86_64, RedHat Enterprise Linux: 5, MandrakeSoft Mandrake Linux: 2008.0 X86_64, Debian Debian Linux: 4.0, HP TCP IP Services OpenVMS: 5.6, HP TCP IP Services OpenVMS: 5.5, RedHat Enterprise Linux: 5 Client, MandrakeSoft Mandrake Linux: 2008.0, VMware ESX Server: 2.5.5, Nortel CS1000: 4.5, Canonical Ubuntu: 8.04 LTS, VMware ESX Server: 3.5, VMware ESX Server: 3.0.3, Mandriva Linux: 2009.0, Mandriva Linux: 2009.0 X86_64, Canonical Ubuntu: 8.10, Debian Debian Linux: 5.0, NTP NTP: 4.2.4p7, Mandriva Linux: 2009.1, Mandriva Linux: 2009.1 X86_64, Avaya CMS: R15, Avaya CMS: R14, Avaya CMS: R14.1, RedHat Enterprise Linux: 4.8.z ES, RedHat Enterprise Linux: 4.8.z AS, VMware ESXi Server: 4.0, VMware ESX Server: 4.0, RedHat Enterprise Linux: 5.4.z EUS, Avaya CMS: R16, VMware vMA: 4.0, HP Tru64: 5.1B-5 (BL28), HP Tru64: 5.1B-4 (BL27), Mandriva Enterprise Server: 5, Mandriva Enterprise Server: 5 X86_64, Mandriva Linux: 2010 X86_64, Mandriva Linux: 2010, Oracle Sun System Firmware: 8.x
Denial of Service
NTP is vulnerable to a denial of service, caused by an error when processing mode 7 (MODE_PRIVATE) requests by the ntpdc query and control utility. By sending a sending a specially-crafted mode 7 response packet containing a spoofed source address, an attacker could trigger an endless loop, consuming available CPU resources.
Upgrade to the latest version of NTP (4.2.4p8 or later), available from the NTP Web site. See References.
For other distributions:
Apply the appropriate update for your system. See References.
NTP Web site
NTP Software Downloads
http://www.ntp.org/downloads.html
NTP Bugzilla
DoS with mode 7 packets (CVE-2009-3563)
https://support.ntp.org/bugs/show_bug.cgi?id=1331
Vulnerability Note VU#568372
NTP mode 7 denial-of-service vulnerability
http://www.kb.cert.org/vuls/id/568372
Nortel Enterprise Response to VU#568372
Potential DoS using ntpd from xntp2
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=985679
ASA-2010-024
A Security Vulnerability in the ntp Daemon (xntpd(1M)) May Lead to a Denial of the Solaris Network Time Protocol(NTP) Service (Sun 275590)
http://support.avaya.com/css/P8/documents/100073364
ASA-2010-024
A Security Vulnerability in the ntp Daemon (xntpd(1M)) May Lead to a Denial of the Solaris Network Time Protocol(NTP) Service (Sun 275590)
http://support.avaya.com/css/P8/documents/100073364
IBM APAR IZ71047
NTP MODE 7 VULNERABILITY IN AIX 5.3 /AIX 6.1
http://www-01.ibm.com/support/docview.wss?uid=isg1IZ71047
IBM APAR IZ68659
NTP MODE 7 VULNERABILITY IN AIX 5.3 /AIX 6.1
http://www-01.ibm.com/support/docview.wss?uid=isg1IZ68659
VMware Security Announcements
VMSA-2010-0004 ESX Service Console and vMA third party updates
http://lists.vmware.com/pipermail/security-announce/2010/000082.html
HPSBOV02497 SSRT090245 rev.1
HP TCP/IP Services for OpenVMS Running NTP, Remote Execution of Arbitrary Code, Denial of Service (DoS)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01961959
VMSA-2010-0009
ESXi utilities and ESX Service Console third party updates
http://lists.vmware.com/pipermail/security-announce/2010/000093.html
HPSBTU02496 SSRT090245
HP Tru64 UNIX Running NTP, Denial of Service (DoS)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01961950
ISS X-Force
NTP mode7 (MODE_PRIVATE) denial of service
http://www.iss.net/security_center/static/54650.php
CVE
CVE-2009-3563
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563