CVE-2009-3563
published 2009-12-09CVE-2009-3563: ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using…
PriorityP341medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EXPLOIT
EPSS
32.29%
98.1th percentile
ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons.
Affected
39 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | chrony | < chrony 1.23-7 (bookworm) | chrony 1.23-7 (bookworm) |
| debian | ntp | < ntp 1:4.2.4p8+dfsg-1 (bullseye) | ntp 1:4.2.4p8+dfsg-1 (bullseye) |
| ntp | ntp | <= 4.2.2p4 | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | >= 0 < 1:4.2.4p8+dfsg-1 | 1:4.2.4p8+dfsg-1 |
| tuxfamily | chrony | <= 1.23-pre1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect a rapid, continuous exchange of NTP MODE_PRIVATE (mode 7) packets between two hosts — especially where the source IP appears spoofed — as this is the hallmark traffic pattern of the CVE-2009-3563 loop attack. ↗
- →Alert on a single NTP mode 7 packet sent to an ntpd server from a spoofed source IP matching another known ntpd server, as this single packet is sufficient to trigger the infinite loop DoS. ↗
- →Monitor for excessive CPU consumption and disk space usage (log file growth) on NTP hosts, which are secondary indicators of an active loop attack. ↗
- →Also watch for a self-loop variant: a single NTP host receiving a spoofed packet with its own IP as source, causing it to send packets to itself. ↗
- →Flag NTP deployments running versions prior to 4.2.4p8 or exactly 4.2.5 as vulnerable; also flag Chrony before 1.23.1 and 1.24-pre1 for the related loop issue. ↗
- ·Functional exploit code is publicly available for this vulnerability, raising the operational risk for unpatched NTP deployments. ↗
- ·Once the DoS loop is triggered between two external hosts, the attacker cannot halt it — defenders must patch or block NTP mode 7 traffic at the network perimeter. ↗
- ·The Chrony daemon is also affected by a related loop condition (CVE-2010-0292) via its cmdmon interface, so Chrony deployments before 1.23.1 should also be treated as in-scope. ↗
CVSS provenance
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
osv6.4MEDIUM
vendor_cisco6.4MEDIUM
vendor_debian6.4MEDIUM
vendor_redhat6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
udp: Implementations of UDP protocol are vulnerable to network loops
vendor_redhat·2024-03-20·CVSS 6.4
CVE-2024-2169 [MEDIUM] udp: Implementations of UDP protocol are vulnerable to network loops
udp: Implementations of UDP protocol are vulnerable to network loops
Implementations of UDP application protocol are vulnerable to network loops. An unauthenticated attacker can use maliciously-crafted packets against a vulnerable implementation that can lead to Denial of Service (DOS) and/or abuse of resources.
A vulnerability was found in certain UPD protocol implementations. This issue may allow an unauthenticated attacker to send maliciously crafted packages leading to a denial of service on the targeted system. An attacker needs to perform the attack on a vulnerable server in order to meet the conditions to create the necessary traffic-loop for a successful attack.
Statement: Red Hat is aware of the existence of CVE-2024-2169 and has investigated the impact in several packages dist
BSD
FreeBSD-SA-10:02.ntpd: ntpd mode 7 denial of service
bsd_advisories·2010-01-06·CVSS 6.4
CVE-2009-3563 [MEDIUM] FreeBSD-SA-10:02.ntpd: ntpd mode 7 denial of service
FreeBSD-SA-10:02.ntpd Security Advisory
The FreeBSD Project
Topic: ntpd mode 7 denial of service
Category: contrib
Module: ntpd
Announced: 2010-01-06
Affects: All supported versions of FreeBSD.
Corrected: 2010-01-06 21:45:30 UTC (RELENG_8, 8.0-STABLE)
2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2)
2010-01-06 21:45:30 UTC (RELENG_7, 7.2-STABLE)
2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6)
2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10)
2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE)
2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9)
2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15)
CVE Name: CVE-2009-3563
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please
Debian
CVE-2010-0292: chrony - The read_from_cmd_socket function in cmdmon.c in chronyd in Chrony before 1.23.1...
vendor_debian·2010·CVSS 6.4
CVE-2010-0292 [MEDIUM] CVE-2010-0292: chrony - The read_from_cmd_socket function in cmdmon.c in chronyd in Chrony before 1.23.1...
The read_from_cmd_socket function in cmdmon.c in chronyd in Chrony before 1.23.1, and 1.24-pre1, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a spoofed cmdmon packet that triggers a continuous exchange of NOHOSTACCESS messages between two daemons, a related issue to CVE-2009-3563.
Scope: local
bookworm: resolved (fixed in 1.23-7)
bullseye: resolved (fixed in 1.23-7)
forky: resolved (fixed in 1.23-7)
sid: resolved (fixed in 1.23-7)
trixie: resolved (fixed in 1.23-7)
Cisco
Network Time Protocol Package Remote��Message Loop Denial of Service��Vulnerability
vendor_cisco·2009-12-09·CVSS 6.4
CVE-2009-3563 [MEDIUM] CWE-399 Network Time Protocol Package Remote��Message Loop Denial of Service��Vulnerability
Network Time Protocol Package Remote��Message Loop Denial of Service��Vulnerability
The Network Time Protocol (NTP) package contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability is due to an error in handling certain malformed messages. An unauthenticated, remote attacker could send a malicious NTP packet with a spoofed source IP address to a vulnerable host. Once the host processes the packet, it could send a similar packet to another NTP host. This action could start a message loop between both hosts that could cause them to consume excessive CPU resources and disk space writing messages to log files. These two conditions could cause a DoS condition on the affected hosts.
Functional exploit code is a
Red Hat
ntpd: DoS with mode 7 packets (VU#568372)
vendor_redhat·2009-12-08·CVSS 6.4
CVE-2009-3563 [MEDIUM] ntpd: DoS with mode 7 packets (VU#568372)
ntpd: DoS with mode 7 packets (VU#568372)
ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons.
Ubuntu
Ntp vulnerability
vendor_ubuntu·2009-12-08
CVE-2009-3563 Ntp vulnerability
Title: Ntp vulnerability
Summary: Ntp vulnerability
Robin Park and Dmitri Vinokurov discovered a logic error in ntpd. A remote
attacker could send a crafted NTP mode 7 packet with a spoofed IP address
of an affected server and cause a denial of service via CPU and disk
resource consumption.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Debian
CVE-2009-3563: ntp - ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers ...
vendor_debian·2009·CVSS 6.4
CVE-2009-3563 [MEDIUM] CVE-2009-3563: ntp - ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers ...
ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons.
Scope: local
bullseye: resolved (fixed in 1:4.2.4p8+dfsg-1)
GHSA
GHSA-gm22-x89c-4h54: ntp_request
ghsa_unreviewed·2022-05-03
CVE-2009-3563 [MEDIUM] GHSA-gm22-x89c-4h54: ntp_request
ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons.
GHSA
GHSA-2w7g-w6qh-q8wj: The read_from_cmd_socket function in cmdmon
ghsa_unreviewed·2022-05-02·CVSS 6.4
CVE-2010-0292 [MEDIUM] GHSA-2w7g-w6qh-q8wj: The read_from_cmd_socket function in cmdmon
The read_from_cmd_socket function in cmdmon.c in chronyd in Chrony before 1.23.1, and 1.24-pre1, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a spoofed cmdmon packet that triggers a continuous exchange of NOHOSTACCESS messages between two daemons, a related issue to CVE-2009-3563.
OSV
CVE-2010-0292: The read_from_cmd_socket function in cmdmon
osv·2010-02-08·CVSS 6.4
CVE-2010-0292 [MEDIUM] CVE-2010-0292: The read_from_cmd_socket function in cmdmon
The read_from_cmd_socket function in cmdmon.c in chronyd in Chrony before 1.23.1, and 1.24-pre1, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a spoofed cmdmon packet that triggers a continuous exchange of NOHOSTACCESS messages between two daemons, a related issue to CVE-2009-3563.
OSV
CVE-2009-3563: ntp_request
osv·2009-12-09·CVSS 6.4
CVE-2009-3563 [MEDIUM] CVE-2009-3563: ntp_request
ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons.
No detection rules found.
Bugzilla
CVE-2010-0292 chrony susceptible to DoS attacks (CVE-2010-0293 CVE-2010-0294)
bugzilla·2010-01-14·CVSS 6.4
CVE-2010-0292 [MEDIUM] CVE-2010-0292 chrony susceptible to DoS attacks (CVE-2010-0293 CVE-2010-0294)
CVE-2010-0292 chrony susceptible to DoS attacks (CVE-2010-0293 CVE-2010-0294)
Description of problem:
This is similar to NTP security flaw CVE-2009-3563.
chronyd replies to all cmdmon packets from unauthorized hosts with NOHOSTACCESS message.
This can be used to create a loop between two chrony daemons which don't allow cmdmon access from each other by sending a packet with spoofed source address and port. This will cause high CPU, network and syslog usage.
The applies to all chrony versions including 1.24-pre1.
Discussion:
Created attachment 383695
chrony-1.23-0001-Don-t-reply-to-invalid-chronyc-packets.patch
---
Created attachment 383696
chrony-1.23-0002-Limit-rate-of-syslog-messages.patch
---
Created attachment 383697
chrony-1.24pre1-0001-Don-t-reply-to-invalid-chronyc-packets
Bugzilla
CVE-2009-3563 ntpd: DoS with mode 7 packets (VU#568372)
bugzilla·2009-10-27·CVSS 6.4
CVE-2009-3563 [MEDIUM] CVE-2009-3563 ntpd: DoS with mode 7 packets (VU#568372)
CVE-2009-3563 ntpd: DoS with mode 7 packets (VU#568372)
Robin Park and Dmitri Vinokurov of Alcatel-Lucent discovered a flaw in the way ntpd handles certain mode 7 packets. A remote attacker able to send specially-crafted mode 7 NTP packet with a spoofed source IP address could cause ntpd running on one host, or two ntpds running on two hosts to send error packets in loop, resulting in excessive use of CPU and disk space (via logging).
Issue is tracked by US-CERT as VU#568372.
Discussion:
Created attachment 366233
Upstream patch to be included in 4.2.4p8
---
Impact and mitigations:
- mode 7 NTP packets are processed by ntpd when they have source IP which is
allowed to query
- when malformed mode 7 packet is received, ntpd sends back a reply packet
(using mode 7 again), this reply pack
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2010-005.txt.aschttp://aix.software.ibm.com/aix/efixes/security/xntpd_advisory.aschttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560074http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10691http://lists.vmware.com/pipermail/security-announce/2010/000082.htmlhttp://marc.info/?l=bugtraq&m=130168580504508&w=2http://marc.info/?l=bugtraq&m=136482797910018&w=2http://secunia.com/advisories/37629http://secunia.com/advisories/37922http://secunia.com/advisories/38764http://secunia.com/advisories/38794http://secunia.com/advisories/38832http://secunia.com/advisories/38834http://secunia.com/advisories/39593http://security-tracker.debian.org/tracker/CVE-2009-3563http://securitytracker.com/id?1023298http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021781.1-1http://support.avaya.com/css/P8/documents/100071808http://support.ntp.org/bin/view/Main/SecurityNotice#DoS_attack_from_certain_NTP_modehttp://www-01.ibm.com/support/docview.wss?uid=isg1IZ68659http://www-01.ibm.com/support/docview.wss?uid=isg1IZ71047http://www.debian.org/security/2009/dsa-1948http://www.kb.cert.org/vuls/id/568372http://www.kb.cert.org/vuls/id/MAPG-7X7V6Jhttp://www.kb.cert.org/vuls/id/MAPG-7X7VD7http://www.securityfocus.com/bid/37255http://www.vupen.com/english/advisories/2010/0510http://www.vupen.com/english/advisories/2010/0528http://www.vupen.com/english/advisories/2010/0993https://bugzilla.redhat.com/show_bug.cgi?id=531213https://lists.ntp.org/pipermail/announce/2009-December/000086.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11225https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12141https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19376https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7076https://rhn.redhat.com/errata/RHSA-2009-1648.htmlhttps://rhn.redhat.com/errata/RHSA-2009-1651.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0095.htmlhttps://support.ntp.org/bugs/show_bug.cgi?id=1331https://www.kb.cert.org/vuls/id/417980https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00763.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-December/msg00809.htmlftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2010-005.txt.aschttp://aix.software.ibm.com/aix/efixes/security/xntpd_advisory.aschttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560074http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10691http://lists.vmware.com/pipermail/security-announce/2010/000082.htmlhttp://marc.info/?l=bugtraq&m=130168580504508&w=2http://marc.info/?l=bugtraq&m=136482797910018&w=2http://secunia.com/advisories/37629http://secunia.com/advisories/37922http://secunia.com/advisories/38764http://secunia.com/advisories/38794http://secunia.com/advisories/38832http://secunia.com/advisories/38834http://secunia.com/advisories/39593http://security-tracker.debian.org/tracker/CVE-2009-3563http://securitytracker.com/id?1023298http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021781.1-1http://support.avaya.com/css/P8/documents/100071808http://support.ntp.org/bin/view/Main/SecurityNotice#DoS_attack_from_certain_NTP_modehttp://www-01.ibm.com/support/docview.wss?uid=isg1IZ68659http://www-01.ibm.com/support/docview.wss?uid=isg1IZ71047http://www.debian.org/security/2009/dsa-1948http://www.kb.cert.org/vuls/id/568372http://www.kb.cert.org/vuls/id/MAPG-7X7V6Jhttp://www.kb.cert.org/vuls/id/MAPG-7X7VD7http://www.securityfocus.com/bid/37255http://www.vupen.com/english/advisories/2010/0510http://www.vupen.com/english/advisories/2010/0528http://www.vupen.com/english/advisories/2010/0993https://bugzilla.redhat.com/show_bug.cgi?id=531213https://lists.ntp.org/pipermail/announce/2009-December/000086.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11225https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12141https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19376https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7076https://rhn.redhat.com/errata/RHSA-2009-1648.htmlhttps://rhn.redhat.com/errata/RHSA-2009-1651.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0095.htmlhttps://support.ntp.org/bugs/show_bug.cgi?id=1331https://www.kb.cert.org/vuls/id/417980https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00763.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-December/msg00809.html
2009-12-09
Published