CVE-2016-7429

Vulnerability

In NTP versions ntp-4.2.7p385 up to but not including ntp-4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94, the ntpd process updates the peer structure to use the interface from which it receives a response, even if that interface differs from the one used for the original request. This behavior allows an attacker to manipulate the interface selection for a given source [4].

Exploitation

An attacker who knows the IP address of a legitimate NTP source can send a spoofed response packet with that source address to a different network interface on the target host. The attack requires that the operating system does not validate the source address of incoming packets (e.g., rp_filter set to 0 on Linux). By repeatedly sending such spoofed responses (e.g., once per second), the attacker can cause ntpd to continuously select the wrong interface for the source, preventing it from sending new requests to the legitimate source until the interface list is refreshed (which occurs on routing changes or every 5 minutes by default) [4].

Impact

Successful exploitation results in a denial of service: ntpd is unable to synchronize with the targeted NTP source. The attack does not require authentication or special privileges beyond network access to the target host's interfaces. The impact is limited to preventing time synchronization from the affected source, but if repeated, it can effectively block all communication with that source [4].

Mitigation

Upgrade to ntp-4.2.8p9 or later, or ntp-4.3.94 or later [4]. Red Hat has released updated packages for Red Hat Enterprise Linux 6 and 7 (ntp-4.2.6p5-10.el6_8.2 and ntp-4.2.6p5-25.el7_3.1) [1]. As a workaround, implement BCP-38 (ingress filtering) to prevent spoofed packets, configure firewalls to restrict which interfaces can receive packets from specific networks, and monitor ntpd instances with auto-restart configured (without the -g flag) [4].