PCI DSS 6.1 Alert for 10.4 com­pli­ance … NTP Secu­rity Hole Patched

Filed under Downloads by Todd Glassey on December 14, 2009 at 10:03 am no comments

Folks, This is a PCI DSS Sec­tion 6.1 com­pli­ance annouce­ment for PCI DSS 10.4 Oper­a­tions. This announce­ment is a report­ing a seri­ous Bug in NTP has been dis­closed and fixed by the NTP​.ORG team. As a QSA who signed-​​off on the use of NTP from NTP​.ORG in your clients oper­a­tions, that you may want to look at your client’s PCI DSS ss 10.4 Time Ser­vices to deter­mine whether they use a ver­sion of NTP which has these newly fixed bugs in them. This annouce­ment would also then directly affect self-​​certifying mer­chants as well. The Bugs For your infor­ma­tion last week a for­mal ‘patch’ for the NTP 4.2.4p7 release was issued by NTP​.ORG which hap­pend to fix a very seri­ous secu­rity flaw in NTP, one which allows an exter­nal party through NTP Mode-​​7 to ‘essen­tially take your clock offline’ by slam­ming it with fake requests from its own address. Which releases are affected The new ver­sions of NTP which fix this are ver­sion 4.2.4p8 and 4.2.7p0. If you are run­ning 4.2.4p7 you need to upgrade as soon as pos­si­ble and imple­ment the proper RESTRICT and INTER­FACE con­trol words in the NTP con­fig­u­ra­tion file to pre­vent un-​​authorized Autokey based NTP queries. See the NTP​.ORG BUG report at : NTP.ORG’s Scu­rity Alert or its extract here: Focus: Secu­rity Fixes Sever­ity: HIGH This release fixes the fol­low­ing high-​​severity vul­ner­a­bil­ity: See http://​sup​port​.ntp​.org/​s​e​c​u​r​ity for more information.

[Sec 1331] DoS with mode 7 pack­ets — CVE-2009–3563

  • NTP mode 7 (MODE_​PRIVATE) is used by the ntpdc query and con­trol util­ity. In con­trast, ntpq uses NTP mode 6 (MODE_​CONTROL), while rou­tine NTP time trans­fers use modes 1 through 5. Upon receipt of an incor­rect mode 7 request or a mode 7 error response from an address which is not listed in a restrict … noquery or restrict … ignore state­ment, ntpd will reply with a mode 7 error response (and log a mes­sage). In this case: If an attacker spoofs the source address of ntpd host A in a mode 7 response packet sent to ntpd host B, both A and B will con­tin­u­ously send each other error responses, for as long as those pack­ets get through.
  • If an attacker spoofs an address of ntpd host A in a mode 7 response packet sent to ntpd host A, A will respond to itself end­lessly, con­sum­ing CPU and log­ging excessively.