News from 2014-12-22


Meinberg Security Advisory: [MBGSA-1405] Multiple NTP Vulnerabilities


The Public NTP Services Project (www.ntp.org) announced on Dec 19th that the current versions of the reference implementation of NTP contain a number of security related bugs that affect all NTP 4.x versions.

UPDATE 2:

Customers with LANTIME Firmware Versions 5 and PTP hardware (M600/PTP and M900/PTP) should contact Meinberg technical support (techsupport@meinberg.de) before applying the recommended configuration below.

UPDATE:

A new Windows Installer for NTP has been released and can be downloaded from the NTP Download page.

CVE-ID:

CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296

1. Description of the Problem

The version of the reference implementation of NTP installed on LANTIME firmware appliances and included in our Windows NTP Installer contains several bugs that can cause security vulnerabilities.

Most of the recently reported issues are only affecting systems which have the so-called Autokey feature enabled. Due to the fact that Autokey has been found to have structural security flaws and therefore is not considered a secure way of providing NTP services, Meinberg recommends to not enabling this feature if possible.

Another set of the reported vulnerabilities are only exploitable if mode 6/mode 7 packets are not restricted on the target system to avoid that untrusted IP addresses are able to send these packets.

2. Affected Systems

All LANTIME Firmware Versions before V6.16.007 are affected by this vulnerability.

All NTP V4.x Versions before 4.2.8 are affected according to the information we received from the maintainers of NTP. We are still investigating whether this affects LANTIME V3.x, V4.x and V5.x firmware versions (using NTP 4.2.0b) and will update this page if we find out that they are not affected. Until then we consider these firmware generations to be affected.

3. Possible Defense Strategies

Meinberg Products

We recommend to set up firewall protection for all LANTIME V3.x systems still in use and reachable from untrusted networks. For Meinberg LANTIME products running firmware versions V4.x and V5.x, the recommended configuration changes outlined below can be applied using the "Edit additional NTP configuration" function on the NTP configuration page of the web UI.

In order to protect LANTIME systems that cannot be updated to V6.16.007, we recommend to disable Autokey using the Web UI of your LANTIME systems. Please note that this feature is disabled by default and therefore only needs to be disabled again if it had been actively enabled.

In order to restrict the use of Mode 6/Mode 7 packets on your LANTIME systems, please add the following lines to the "additional NTP configuration" of your LANTIME:

# LANTIME Additional NTP Configuration:
restrict default limited kod nomodify notrap nopeer noquery
restrict -6 default limited kod nomodify notrap nopeer noquery
restrict 127.0.0.1

IMPORTANT: the last "restrict" line is required to ensure that the internal status updates continue to work. Failing to add this line (restrict 127.0.0.1) can cause problems with displaying the NTP status on the Web UI and on the front display etc.

LANTIME products running V6 firmware versions can be protected either by using the same approach as V4/V5 or by disabling mode 6/mode 7 support generally using the "Disable mode 6 / mode 7" option in the "General Options" section on the NTP page of the web interface.

Other NTP Installations

If updating your NTP installation to 4.2.8 or a patched version provided by your OS vendor is not possible, you can disable the support for handling NTP mode 7 requests by using the "restrict" statement. The "noquery" flag will disable mode 7 support (including the "monlist" feature) and can be set up in a "default restrict" statement to be applied to all incoming requests. NTP allows to define default "restrict" setting and different restrictions for specific IPs and/or subnets. You should also disable Autokey if it is enabled in your configuration by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.

NTP packets are used for requesting status information from the NTP daemon and allow attackers to obtain knowledge about the NTP version and the OS version running on your NTP server as well as other information like upstream NTP servers and details about the current status of your NTP synchronization. In addition to disabling status query support, Meinberg recommends you disable configuration change support as well, which can be achieved by using the "nomodify" flag.

NOTE: To find out more about the meaning of the configuration statements used in this article, please refer to http://doc.ntp.org for further explanation. The configuration examples provided here should work with all ntpd versions from 4.2.0 to 4.2.6 with the obvious limitation that the IPv6 related configuration lines only work with versions that support IPv6.

Add the following lines to your NTP configuration file (ntp.conf):

# for IPv4
restrict default limited kod nomodify notrap nopeer noquery
# for IPv6
restrict -6 default limited kod nomodify notrap nopeer noquery

This will for all incoming requests disable mode 6 and mode 7 support and in addition enables the "kiss-o'-death" (kod) functionality of NTP. It will still allow everybody to send a regular NTP request (for time), but prevents all IP addresses not specifically configured from using mode 6 (status) or mode 7 (control) requests to obtain detailed information about your NTP server or use the mode 7 "monlist" feature for traffic amplification attacks.

It often makes sense to allow full access from the server itself, you can remove the restrictions for the local host by using these "restrict" lines:

# for IPv4
restrict 127.0.0.1
# for IPv6
restrict -6 ::1

In order to disable these restrictions for specific hosts or whole subnets that need access to the "monlist" and other status information provided by ntpd with the mode 6/mode 7 approach, additional "restrict" statements can be added for each of those IP addresses or subnets. If you want to allow an administrator PC to access the detailed NTP status information, you can add another "restrict" statement:

# for IPv4
restrict 192.168.0.20 nomodify nopeer

Or, to define different restrictions for a whole subnet:

# for IPv4
restrict 192.168.0.0 mask 255.255.255.0 nomodify kod

You can define multiple "restrict" lines to grant access to multiple hosts and subnets. More about possible access control configuraton functions can be found on the NTP documentation site of the NTP Project (doc.ntp.org).

4. Additional Information Sources

More about this topic can be found on the following websites:

Security Notice des NTP Public Services Project
Debian Security Announce Message DSA-3108-1 von der Debian Security Announce Mailingliste

Please do not hesitate to reach out to your Meinberg support contact if you need further assistance or have additional questions.


Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact