IBM Support

IZ68659: NTP MODE 7 VULNERABILITY IN AIX 5.3 /AIX 6.1 APPLIES TO AIX 5300-08

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and
    control utility. In contrast, ntpq uses NTP mode 6
    (MODE_CONTROL), while routine NTP time transfers use
    modes 1 through 5. Upon receipt of an incorrect mode 7
    request or a mode 7 error response from an address that
    is not listed in a "restrict ... noquery" or
    "restrict ... ignore" segment, ntpd will reply with a
    mode 7 error response and log a message.
    If an attacker spoofs the source address of ntpd host
    A in a mode 7 response packet sent to ntpd host B, both
    A and B will continuously send each other error
    responses, for as long as those packets get through.
    
    If an attacker spoofs an address of ntpd host A in a
    mode 7 response packet sent to ntpd host A, then host A
    will respond to itself endlessly, consuming CPU and
    logging excessively.
    

Local fix

Problem summary

  • CPU consumption will be huge and the network will be busy.
    

Problem conclusion

  • Appropriate code changes made to address the mode 7 DoS issue.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ68659

  • Reported component name

    AIX 5.3

  • Reported component ID

    5765G0300

  • Reported release

    530

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Submitted date

    2010-01-25

  • Closed date

    2010-02-25

  • Last modified date

    2011-10-25

Fix information

  • Fixed component name

    AIX 5.3

  • Fixed component ID

    5765G0300

Applicable component levels

  • R530 PSY U832257

       UP10/05/18 I 1000

PTF to Fileset Mapping



Document information

More support for: AIX family

Software version: 530

Operating system(s): AIX

Reference #: IZ68659

Modified date: 25 October 2011