National Cyber-​​Alert Sys­tem: NTP Alert (2009−3563)

Filed under Alert Service, PCI DSS by Todd Glassey on January 3, 2010 at 12:34 pm no comments

Overview

ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attack­ers to cause a denial of ser­vice (CPU and band­width con­sump­tion) by using MODE_​PRIVATE to send a spoofed (1) request or (2) response packet that trig­gers a con­tin­u­ous exchange of MODE_​PRIVATE error responses between two NTP daemons.

Impact

CVSS Sever­ity (ver­sion 2.0):
CVSS v2 Base Score:6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:P/A:P) (leg­end)
Impact Sub­score: 4.9
Exploitabil­ity Sub­score: 10.0
CVSS Ver­sion 2 Metrics:
Access Vec­tor: Net­work exploitable
Access Com­plex­ity: Low
Authen­ti­ca­tion: Not required to exploit
Impact Type: Allows unau­tho­rized mod­i­fi­ca­tion; Allows dis­rup­tion of service

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009–3563

National Cyber-​​Alert Sys­tem: NTP Alert (2009−1252)

Filed under Alert Service, PCI DSS by Todd Glassey on January 3, 2010 at 12:23 pm no comments

CERT Alert for NTP Ver­sions before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled. This directly impacts PCI DSS com­pli­ance prac­tices using NTP with OpenSSL and autokey to iden­tify end-​​nodes in NTP ser­vice topologies.

CERT 2009–1252