Important Information Regarding NTP Vulnerability (CVE-2016-9042)

Publish Time: 2017-04-18 00:00:00 UTC+8

Last Updated: 2017-04-18 12:00:00 UTC+8

Severity
Moderate
Status
Resolved

Abstract

CVE-2016-9042 could allow remote attackers to perform a denial-of-service (DoS) attack on the vulnerable NTP server and cause the mechanism of time synchronization to lose effectiveness.

Severity

Moderate

Affected

  • Products
    • DSM 6.1
    • DSM 6.0
  • Models
    • All Synology models

Description

ntpd in NTP on 4.2.8p9 allows remote attackers to bypass the origin timestamp validation via a packet with an origin timestamp set to zero. This flaw is due to an incorrect upstream fix of CVE-2015-8138.

Mitigation

  • Part 1: Create a rule to allow an IP range or subnet access to NTP service

    1. Under Firewall Profile, please select Edit Rules. s1-1
    2. On the top left corner, click Create to create a new firewall rule. s1-2
    3. Under Ports, please find Select from a list of build-in applications and click Select to choose an application. s1-3
    4. Find and check NTP Service and click OK.
    5. Under Source IP, please select Specific IP and click Select on the right. You can also select All if you would like to select all IP’s. s1-5
    6. Here you may specify an IP range or subnet that you would like to allow access to NTP service. In the example below, NTP access is only allowed for IP addresses between 192.168.1.90 and 192.168.1.99. Click OK once you have specified the IP address or subnet. s1-6
    7. Under Action, please select Allow to allow the specified IP addresses or subnet access to NTP. s1-7
    8. Once you’ve selected an action, you can click OK. You can now see that this setup will allow NTP access only for IP addresses from 192.168.1.90 to 192.168.1.99.

  • Part 2: Create a rule to deny NTP access to all other IP addresses.

    1. Please repeat steps 1-4 above.
    2. Under Source IP, select All to include all IP addresses. s2-2
    3. Under Action, please select Deny to block all IP addresses or subnet access to NTP. Click OK when done. s2-3
  • After all the steps have been completed, you can see that all IP’s have been denied access to NTP service, except for IP’s ranging from 192.168.1.90 to 192.168.1.99. Please note that the rule of allowed IP’s must be specified before blocking all IP's.

Update Availability

Not available yet

References

http://support.ntp.org/bin/view/Main/NtpBug3361
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9042
https://www.freebsd.org/security/advisories/FreeBSD-SA-17:03.ntp.asc