Network Time Protocol Daemon DoS Vulnerability

December 2, 2016

The Network Time Protocol daemon (NTPD) is prone to a DoS vulnerability CVE-2016-7434. A remote, authenticated attacker can exploit this vulnerability by sending a crafted packet to the target service. A successful attack could cause NTPD service to crash.

The NTP protocol is designed to synchronize the clocks of computers over a network. It is maintained by ntp.org, and widely used in server operating systems, routers and infrastructure devices.

To perform routine NTP control and monitoring functions in comprehensive network-management environments, the NTP control message is introduced. The NTP control message has the following format:

  • NTP Control Message header
  • Version Number: 3-bit integer indicating the NTP version number, currently (3).
  • Mode: 3-bit integer indicating the mode. It must have the value 6, indicating an NTP control message.
  • Response Bit: Set to zero for commands, one for responses.
  • Error Bit: Set to zero for normal response, one for error response.
  • More Bit: Set to zero for last fragment, one for all others.
  • Operation Code: 5-bit integer specifying the command function.
  • Sequence: 16-bit Sequence number of the command or response
  • Status: 16-bit Status of the system
  • Association ID: 16-bit ID of a valid association
  • Offset: 16-bit Offset of the first byte in the Data field (Must be 0x0 for requests)
  • Count: 16-bit Length of the Data field (N)
  • Data: Message data for the command or response
  • Padding: Zero padding
  • Authenticator: Optional authenticator information

The OP code is represented by a 5-bits integer. To be more specified, the values are:

0 = reserved
1 = read status command/response
2 = read variables command/response
3 = write variables command/response
4 = read clock variables command/response
5 = write clock variables command/response
6 = set trap address/port command/response
7 = trap response
8-31 = reserved

The vulnerability could be triggered on a certain type of message, the "MRU List" request. When the OPCode is set to 0x0A, the data section should be in a key-value format containing the information for the request.

When handling this kind request, a function read_mru_list() will be called in order to parse the key-value format Data section. And in this function, a sub function ctl_getitem() will be called to get value for corresponding key. If the key has no value, this function will return NULL.

However, in the read_mru_list() function, the return value is assigned to be a char* pointer, and will be parsed to other functions as a parameter. Afterwards, a NULL pointer exception will occur, causing the service crash.

The PoC exploit is already in the wild at http://dumpco.re/cve-2016-7434/ .The official patch is issued in the ntp-4.2.8p9 update.

SonicWALL provides protection against this threat via the following signatures:

  • 12506 EXPLOIT Network Time Protocol Daemon read_mru_list Denial of Service