Versions Affected : All verisons prior to FreeNAS 11.3-U2

Description

Three NTP vulnerabilities are addressed by this security advisory. NTP Bug 3610, 3596, and 3592.

NTP Bug 3610: Process_control() should exit earlier on short packets. On systems that override the default and enable ntpdc (mode 7), fuzz testing detected a short packet will cause ntpd to read uninitialized data. NTP Bug 3596: Due to highly predictable transmit timestamps, an unauthenticated, unmonitored ntpd is vulnerable to attack over IPv4. A victim ntpd configured to receive time from an unauthenticated time source is vulnerable to an off-path attacker with permission to query the victim. The attacker must send from a spoofed IPv4 address of an upstream NTP server and the victim must process a large number of packets with that spoofed IPv4 address. After eight or more successful attacks in a row, the attacker can either modify the victim’s clock by a small amount or cause ntpd to terminate. The attack is especially effective when unusually short poll intervals have been configured. NTP Bug 3592: The fix for https://bugs.ntp.org/3445 introduced a bug such that an ntpd can be prevented from initiating a time volley to its peer resulting in a DoS.

Workaround

Systems not using ntpd(8) are not vulnerable.

Systems running ntpd should make the following changes: Disable mode 7 Use many trustworthy sources of time Use NTP packet authentication Monitor ntpd for error messages indicating attack If only unauthenticated time over IPv4 is available, use the restrict configuration directive

Mitigation

Upgrade to FreeNAS 11.3-U2 or later.
If upgrade is not possible, systems running ntpd should make the following changes:

Disable mode 7 Use many trustworthy sources of time Use NTP packet authentication Monitor ntpd for error messages indicating attack If only unauthenticated time over IPv4 is available, use the restrict configuration directive

Commit

Further information

FreeBSD Errata Entry