NTP MODE_PRIVATE报文远程拒绝服务漏洞
来源:岁月联盟
时间:2009-12-13
University of Delaware NTP 4.2.x漏洞描述:
BUGTRAQ ID: 37255
CVE ID: CVE-2009-3563
NTP(Network Time Protocol)是用于通过网络同步计算机时钟的协议。
ntpdc查询和控制工具使用NTP模式7(MODE_PRIVATE),ntpq使用NTP模式6(MODE_CONTROL),而例程NTP时间传输使用模式1到5。在从非restrict ... noquery或restrict ... ignore网段所列出的地址接收到错误的模式7请求或模式7错误响应时,ntpd会回复模式7出错响应并记录一条消息日志。如果安全者能够在发送给主机 B的模式7响应报文中伪造ntpd主机A的源地址,则只要报文还可以通过主机A和B都会连续的向彼此发送出错响应;如果安全者可以在发送给ntpd主机A 的模式7响应报文中伪造ntpd主机A的地址,主机A就会无限的响应其本身,耗尽CPU资源并生成过多日志。<*参考
http://www.kb.cert.org/vuls/id/568372
https://support.ntp.org/bugs/long_list.cgi?buglist=1331
http://secunia.com/advisories/37629/
http://www.debian.org/security/2009/dsa-1948
https://www.redhat.com/support/errata/RHSA-2009-1651.html
https://www.redhat.com/support/errata/RHSA-2009-1648.html
*>
安全建议:
临时解决方法:
* 使用ntp.conf配置文件的restrict ... noquery或restrict ... ignore选项限制源地址。
* 过滤指定了源和目标端口123的NTP模式7报文。
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1948-1)以及相应补丁:
DSA-1948-1:New ntp packages fix denial of service
链接:http://www.debian.org/security/2009/dsa-1948
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4.dsc
Size/MD5 checksum: 906 115e93f010e32aa1c90231461487503a
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg.orig.tar.gz
Size/MD5 checksum: 2199764 ad746cda2d90dbb9ed06fe164273c5d0
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4.diff.gz
Size/MD5 checksum: 182632 80aa236bd0a39096c5e5d462c0b9b279
Architecture independent packages:
http://security.debian.org/pool/updates/main/n/ntp/ntp-refclock_4.2.2.p4+dfsg-2etch4_all.deb
Size/MD5 checksum: 28596 df605f89c08a01116c2ff799777f6a2c
http://security.debian.org/pool/updates/main/n/ntp/ntp-simple_4.2.2.p4+dfsg-2etch4_all.deb
Size/MD5 checksum: 28594 0c683ac7e7f5b131515f956aed87de3d
http://security.debian.org/pool/updates/main/n/ntp/ntp-doc_4.2.2.p4+dfsg-2etch4_all.deb
Size/MD5 checksum: 912886 1af5a623cbf5f145f34dab7beefcd183
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_alpha.deb
Size/MD5 checksum: 408070 ca33235c58a26ad1a839084b4f2d385c
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_alpha.deb
Size/MD5 checksum: 65056 e527eb4c93d427c025374805fb5288cb
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_amd64.deb
Size/MD5 checksum: 62258 13a4f4faaf699913e421c093e598f2a9
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_amd64.deb
Size/MD5 checksum: 359384 1a289aa1f8439e2ef736cbf29bbe140f
arm architecture (ARM)
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_arm.deb
Size/MD5 checksum: 59784 8a84cae4e8f643cbd3ed684e5a7eb0ff
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_arm.deb
Size/MD5 checksum: 344316 57066e8abfdf51c36d63600c993f3c20
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_hppa.deb
Size/MD5 checksum: 372448 0b8f9b90bb03a2f572066fe8b47c7202
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_hppa.deb
Size/MD5 checksum: 62160 88dc964fa357187ddc97d37513a863ba
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_i386.deb
Size/MD5 checksum: 58316 90fc92e7a8f6582ee21076849ae0dfba
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_i386.deb
Size/MD5 checksum: 333772 e5fbae24686d444fff118f3ce9cc45db
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_ia64.deb
Size/MD5 checksum: 523358 0032e3c9bcb4a27a312a47fb95d1f9a1
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_ia64.deb
Size/MD5 checksum: 74712 72c1b601f4beb41c6c04a54534ba9c51
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_mips.deb
Size/MD5 checksum: 382868 2980d63a9ca6344e6a76698d0e808f8c
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_mips.deb
Size/MD5 checksum: 63610 d523930b9b98d6353bf4e6fb7d7e57f5
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_mipsel.deb
Size/MD5 checksum: 64134 e4042de5af081701911a7cece69c6cce
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_mipsel.deb
Size/MD5 checksum: 390142 b50dc2bd5970f224b6994c460f8f560a
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_powerpc.deb
Size/MD5 checksum: 358860 432b58ad621ac266455f7e5124d2eb1c
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_powerpc.deb
Size/MD5 checksum: 61760 2c9dd1b3a8d61bece4f420e533b7a6eb
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_s390.deb
Size/MD5 checksum: 350300 40a28748d5016101c179bd4a22c08390
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_s390.deb
Size/MD5 checksum: 61242 14c08344bfd0561ced0d54aa2cd23a2e
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_sparc.deb
Size/MD5 checksum: 58584 0e573ef22b1514b12e01fa6ac2bb1ddb
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_sparc.deb
Size/MD5 checksum: 332284 4589ff44bc97ad73513d8ba5419c7845
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3.dsc
Size/MD5 checksum: 1459 81e70fe84f27e3bfabdbfb9f3122492b
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg.orig.tar.gz
Size/MD5 checksum: 2835029 dc2b3ac9cc04b0f29df35467514c9884
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3.diff.gz
Size/MD5 checksum: 300928 b568f39eda3e46f27239ad44021f968c
Architecture independent packages:
http://security.debian.org/pool/updates/main/n/ntp/ntp-doc_4.2.4p4+dfsg-8lenny3_all.deb
Size/MD5 checksum: 927658 8db03976b7b105057ead2da4bae09219
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_alpha.deb
Size/MD5 checksum: 66706 9213dcba9a99fa363f0ce48c514a008b
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_alpha.deb
Size/MD5 checksum: 538492 de37b288ef933f34446ab78a8d8ed76b
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_amd64.deb
Size/MD5 checksum: 63836 a0b5b030abe6a6c32591366febcec1d1
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_amd64.deb
Size/MD5 checksum: 479472 277efe45a76a24da6ca14ae581d0a3a2
arm architecture (ARM)
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_arm.deb
Size/MD5 checksum: 61220 d4905eea52795330e517acca903059f4
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_arm.deb
Size/MD5 checksum: 448164 cc28e545eb359eba225abfcb02cc4377
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_armel.deb
Size/MD5 checksum: 62794 e5a43b8076a77643cc742348f0e63de1
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_armel.deb
Size/MD5 checksum: 458908 3721b8d7b7a67b31db6249521dd9f015
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_hppa.deb
Size/MD5 checksum: 63872 53a7009f1888c06b162c258a9bb5d6fb
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_hppa.deb
Size/MD5 checksum: 485744 b8e950ba02a13ecacfe332db56c0c887
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_i386.deb
Size/MD5 checksum: 434672 6ccfb060f39cc56f39ef8806865b767d
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_i386.deb
Size/MD5 checksum: 60114 2f0914ae2191ddf3f74529bc896299da
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_ia64.deb
Size/MD5 checksum: 707812 eb960c732894d56589ba62d76c5ba568
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_ia64.deb
Size/MD5 checksum: 76366 6b5b986e454276661e8b483f095bd16e
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_mips.deb
Size/MD5 checksum: 64116 ab287c70d2c2daf7b1a8808db8dcedc9
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_mips.deb
Size/MD5 checksum: 490394 0009cb5333123767dc3afcde682d9e10
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_mipsel.deb
Size/MD5 checksum: 500786 3b842b738e616f301c31cd025c595235
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_mipsel.deb
Size/MD5 checksum: 64776 fd31cdaa7a78d7e3fa072b746dd98e01
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_powerpc.deb
Size/MD5 checksum: 490620 21d03b435c327c2884fe587a56fe10fb
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_powerpc.deb
Size/MD5 checksum: 65470 6966f71002ae63c104e608af1a7daa3a
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_s390.deb
Size/MD5 checksum: 63678 4b143ad2444681bdb1ee44d395996a29
http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_s390.deb
Size/MD5 checksum: 474000 6fb44a33381b0d582599eb33896d8f0f
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2009:1648-01)以及相应补丁:
RHSA-2009:1648-01:Moderate: ntp security update
链接:https://www.redhat.com/support/errata/RHSA-2009-1648.html
University of Delaware
----------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.ntp.org/downloads.html
