Note: This is an archival copy of Security Sun Alert 275590 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1021781.1.
Solaris 8 Operating System
Solaris 9 Operating System
Solaris 10 Operating System
Date of Workaround Release
Date of Resolved Release
A security vulnerability in the ntp Daemon (xntpd(1M)) associated
with the handling of NTP mode 7 (MODE_PRIVATE), may lead to consumption
of CPU and
excessive logging, resulting in a denial of the Solaris Network Time
Protocol (NTP) service.
CVE-2009-3563 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563
US-CERT Vulnerability Note VU#568372 at http://www.kb.cert.org/vuls/id/568372
2. Contributing Factors
This issue can occur in the following releases:
Note: Only systems running as an NTP server are impacted by
this issue. To determine if a system is acting as an NTP server,
$ netstat -an | grep 123
If the output of the command contains the above two lines, then the system is running as an NTP server.
Note: OpenSolaris distributions may include additional bug
above and beyond the build from which it was derived. The base
build can be derived as follows:
$ uname -v
Note: Solaris 8 entered EOSL Phase 2 on 1 April 2009. Entitlement to patches developed on or after 1 April 2009 requires the purchase of the Solaris 8 Vintage Patch Service. See Note in section 5 for more details.
If this issue occurs, then the ntpd(1M) or xntpd(1M) process will use an abnormal amount of system cycles. Also, an excessive number of MODE 7 NTP packets will be seen on the network.
To avoid being vulnerable to this issue until patches can be
installed, add the following line to the '/etc/inet/ntp.conf' file if
you are using xntpd(1M):
restrict default noquery
And then restart the xntpd process. If you are using ntpd rather than
xntpd, please add the following two lines:
restrict default noquery
And then restart the ntpd process.
For OpenSolaris and Solaris 10 prior to Update 8, do the following:
The above command will show one NTP service enabled. Use the FMRI
from the enabled service to restart. This will be either
$ svcadm restart svc:/network/ntp:default
This workaround will prevent the NTP server from responding to any mode 6 or mode 7 packets. These are the types of packets used by the ntpq(1M), ntpq4(1M), ntptrace4(1M), xntpdc(1M) and ntpdc(1M) programs, so these programs will no longer be able to contact the NTP server.
You can allow these programs to work from individual systems by
adding a restrict line to the ntp.conf file that allows that system
again. Using its IP
address, add a line similar to this:
Then restart the NTP service as described above.
Be aware that if the system you are allowing is itself an NTP
server, you will disable the workaround and again be vulnerable.
This issue is addressed in the following releases:
The READMEs of Solaris 8 patches developed on or after 1 April 2009 are available to all customers. However, Solaris 8 entered EOSL Phase 2 on April 1, 2009, and thus entitlement for these patches, including those that fix security vulnerabilities, requires the purchase of the Solaris 8 Vintage Patch Service. More information about the Solaris 8 Vintage Patch Service is available at:
08-Feb-2010: Updated Workaround section.
16-Feb-2010: Updated Contributing Factors and Resolution sections
10-Mar-2010: Updated Contributing Factors, Workaround and Resolution sections.
17-Mar-2010: Updated Contributing Factors, Workaround and Resolution sections.
12-Apr-2010: Updated Contributing Factors, Workaround and Resolution sections.
30-Jun-2010: Updated Contributing Factors, Resolution sections for patch release, now Resolved.
This solution has no attachment