Note: This is an archival copy of Security Sun Alert 275590 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1021781.1.
Article ID : 1021781.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-06-30
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Security Vulnerability in the ntp Daemon (xntpd(1M)) May Lead to a Denial of the Solaris Network Time Protocol (NTP) Service

Category
Security

Release Phase
Resolved

Bug Id
SUNBUG: 6902029

Product
Solaris 8 Operating System
Solaris 9 Operating System
Solaris 10 Operating System
OpenSolaris

Date of Workaround Release
13-Jan-2010

Date of Resolved Release
30-Jun-2010

1. Impact

A security vulnerability in the ntp Daemon (xntpd(1M)) associated with the handling of NTP mode 7 (MODE_PRIVATE), may lead to consumption of CPU and excessive logging, resulting in a denial of the Solaris Network Time Protocol (NTP) service.

This issue is also described in the following documents:

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 109667-08
  • Solaris 9 without patch 117143-02
  • Solaris 10 xntpd (SUNWntpu) without patch 127724-02
  • Solaris 10 ntpd (SUNWntp4u) without patch 143725-01
  • OpenSolaris based upon builds snv_01 through snv_132

x86 Platform

  • Solaris 8 without patch 109668-08
  • Solaris 9 without patch 117144-02
  • Solaris 10 xntpd (SUNWntpu) without patch 127725-02
  • Solaris 10 ntpd (SUNWntp4u) without patch 143726-01
  • OpenSolaris based upon builds snv_01 through snv_132

Note: Only systems running as an NTP server are impacted by this issue. To determine if a system is acting as an NTP server, execute the following command:

 $ netstat -an | grep 123
 *.123 Idle
 127.0.0.1.123 Idle

If the output of the command contains the above two lines, then the system is running as an NTP server.

Note: OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived.  The base build can be derived as follows:

 $ uname -v
 snv_101

Note: Solaris 8 entered EOSL Phase 2 on 1 April 2009. Entitlement to patches developed on or after 1 April 2009 requires the purchase of the Solaris 8 Vintage Patch Service. See Note in section 5 for more details.

3. Symptoms

If this issue occurs, then the ntpd(1M) or xntpd(1M) process will use an abnormal amount of system cycles. Also, an excessive number of MODE 7 NTP packets will be seen on the network.

4. Workaround

To avoid being vulnerable to this issue until patches can be installed, add the following line to the '/etc/inet/ntp.conf' file if you are using xntpd(1M):

 restrict default noquery

And then restart the xntpd process. If you are using ntpd rather than xntpd, please add the following two lines:

 restrict default noquery
 restrict :: noquery

And then restart the ntpd process.

For OpenSolaris and Solaris 10 prior to Update 8, do the following:

 $ svcadm restart svc:/network/ntp:default 

For Solaris 10 update 8 and later, do the following:

 $ svcs -a | grep ntp

The above command will show one NTP service enabled. Use the FMRI from the enabled service to restart. This will be either svc:/network/ntp:default or svc:/network/ntp4:default

 $ svcadm restart svc:/network/ntp:default
or
 $ svcadm restart svc:/network/ntp4:default

For Solaris 9 and earlier, do the following:

 $ cd /etc/init.d
 $ sh xntpd stop
 $ sh xntpd start

This workaround will prevent the NTP server from responding to any mode 6 or mode 7 packets. These are the types of packets used by the ntpq(1M), ntpq4(1M), ntptrace4(1M), xntpdc(1M) and ntpdc(1M) programs, so these programs will no longer be able to contact the NTP server.

You can allow these programs to work from individual systems by adding a restrict line to the ntp.conf file that allows that system again. Using its IP address, add a line similar to this:

 restrict <ip-addr-of-system>

Then restart the NTP service as described above.

Be aware that if the system you are allowing is itself an NTP server, you will disable the workaround and again be vulnerable.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 109667-08 or later
  • Solaris 9 with patch 117143-02  or later
  • Solaris 10 xntpd (SUNWntpu) with patch 127724-02 or later
  • Solaris 10 ntpd (SUNWntp4u) with patch 143725-01 or later
  • OpenSolaris based upon builds snv_133 or later

x86 Platform

  • Solaris 8 with patch 109668-08 or later
  • Solaris 9 with patch 117144-02 or later
  • Solaris 10 xntp (SUNWntpu) with patch 127725-02 or later
  • Solaris 10 ntpd (SUNWntp4u) with patch 143726-01 or later
  • OpenSolaris based upon builds snv_133 or later
Notes: The package SUNWntp4u was first shipped in Solaris 10 10/09.

The READMEs of Solaris 8 patches developed on or after 1 April 2009 are available to all customers. However, Solaris 8 entered EOSL Phase 2 on April 1, 2009, and thus entitlement for these patches, including those that fix security vulnerabilities, requires the purchase of the Solaris 8 Vintage Patch Service. More information about the Solaris 8 Vintage Patch Service is available at:

http://www.sun.com/service/eosl/Solaris8.html


Modification History
08-Feb-2010: Updated Workaround section.
16-Feb-2010: Updated Contributing Factors and Resolution sections
10-Mar-2010: Updated Contributing Factors, Workaround and Resolution sections.
17-Mar-2010: Updated Contributing Factors, Workaround and Resolution sections.
12-Apr-2010: Updated Contributing Factors, Workaround and Resolution sections.
30-Jun-2010: Updated Contributing Factors, Resolution sections for patch release, now Resolved.

References

SUNPATCH 143725-01
SUNPATCH 143726-01
SUNPATCH 117143-02
SUNPATCH 117144-02
SUNPATCH 127724-02
SUNPATCH 127725-02
SUNPATCH 109667-08
SUNPATCH 109668-08
SUNBUG 6902029

109667-08, 109668-08




Attachments
This solution has no attachment