cbcvebase.
CVE-2009-3563
published 2009-12-09

CVE-2009-3563: ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using…

PriorityP341medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EXPLOIT
EPSS
32.29%
98.1th percentile
ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons.

Affected

39 ranges· showing 25
VendorProductVersion rangeFixed in
debianchrony< chrony 1.23-7 (bookworm)chrony 1.23-7 (bookworm)
debianntp< ntp 1:4.2.4p8+dfsg-1 (bullseye)ntp 1:4.2.4p8+dfsg-1 (bullseye)
ntpntp<= 4.2.2p4
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp
ntpntp>= 0 < 1:4.2.4p8+dfsg-11:4.2.4p8+dfsg-1
tuxfamilychrony<= 1.23-pre1

Detection & IOCsextracted from sources · hover to see the quote

portUDP/123 (NTP MODE_PRIVATE / mode 7)
commandMODE_PRIVATE (NTP mode 7) spoofed request/response packet
  • Detect a rapid, continuous exchange of NTP MODE_PRIVATE (mode 7) packets between two hosts — especially where the source IP appears spoofed — as this is the hallmark traffic pattern of the CVE-2009-3563 loop attack.
  • Alert on a single NTP mode 7 packet sent to an ntpd server from a spoofed source IP matching another known ntpd server, as this single packet is sufficient to trigger the infinite loop DoS.
  • Monitor for excessive CPU consumption and disk space usage (log file growth) on NTP hosts, which are secondary indicators of an active loop attack.
  • Also watch for a self-loop variant: a single NTP host receiving a spoofed packet with its own IP as source, causing it to send packets to itself.
  • Flag NTP deployments running versions prior to 4.2.4p8 or exactly 4.2.5 as vulnerable; also flag Chrony before 1.23.1 and 1.24-pre1 for the related loop issue.
  • ·Functional exploit code is publicly available for this vulnerability, raising the operational risk for unpatched NTP deployments.
  • ·Once the DoS loop is triggered between two external hosts, the attacker cannot halt it — defenders must patch or block NTP mode 7 traffic at the network perimeter.
  • ·The Chrony daemon is also affected by a related loop condition (CVE-2010-0292) via its cmdmon interface, so Chrony deployments before 1.23.1 should also be treated as in-scope.

CVSS provenance

nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
osv6.4MEDIUM
vendor_cisco6.4MEDIUM
vendor_debian6.4MEDIUM
vendor_redhat6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.