-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2010-005
		 =================================

Topic:		NTP server Denial of Service vulnerability


Version:	NetBSD-current:		affected prior to 2009-12-08
		NetBSD 5.0.2:		not affected
		NetBSD 5.0.1:		affected
		NetBSD 5.0:		affected
		NetBSD 4.0.*:		affected
		NetBSD 4.0:		affected
		pkgsrc:			ntp package prior to 4.2.4p8


Severity:	Remote Denial of Service


Fixed:		NetBSD-current:		Dec 8, 2009
		NetBSD-5-0 branch:	Dec 8, 2009
		NetBSD-5 branch:	Dec 8, 2009
		NetBSD-4-0 branch:	Dec 8, 2009
		NetBSD-4 branch:	Dec 8, 2009
		pkgsrc 2009Q4:		ntp-4.2.4p8 corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.



Abstract
========

A programming error in the handling of NTP MODE_PRIVATE packets
allows a remote attacker to cause a denial of service.

This vulnerability has been assigned CVE-2009-3563 and CERT
Vulnerability Note VU#568372.


Technical Details
=================

ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows
remote attackers to cause a denial of service (CPU and bandwidth
consumption) by using MODE_PRIVATE to send a spoofed (1) request or
(2) response packet that triggers a continuous exchange of
MODE_PRIVATE error responses between two NTP daemons.


Solutions and Workarounds
=========================

As a workaround, disable the NTP service in your system by running the
following commands:

	# /etc/rc.d/ntpd stop
	# echo ntpd=NO > /etc/rc.conf.d/ntpd

The following instructions describe how to upgrade your ntpd
binaries by updating your source tree and rebuilding and
installing a new version of ntpd:

* NetBSD-current:

	Systems running NetBSD-current dated from before 2009-12-08
	should be upgraded to NetBSD-current dated 2009-12-09 or later.

	The following files/directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		dist/ntp/ntpd/ntp_request.c

	To update from CVS, re-build, and re-install ntpd:
		# cd src
		# cvs update -d -P dist/ntp/ntpd/ntp_request.c
		# cd usr.sbin/ntp/ntpd
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 5.*:

	Systems running NetBSD 5.* sources dated from before
	2009-12-08 should be upgraded from NetBSD 5.* sources dated
	2009-12-09 or later.

	The following files/directories need to be updated from the
	netbsd-5 or netbsd-5-0 branches:
		dist/ntp/ntpd/ntp_request.c

	To update from CVS, re-build, and re-install ntpd:

		# cd src
		# cvs update -r <branch_name> -d -P dist/ntp/ntpd/ntp_request.c
		# cd usr.sbin/ntp/ntpd
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 4.*:

	Systems running NetBSD 4.* sources dated from before
	2009-12-08 should be upgraded from NetBSD 4.* sources dated
	2009-12-09 or later.

	The following files/directories need to be updated from the
	netbsd-4 or netbsd-4-0 branches:
		dist/ntp/ntpd/ntp_request.c

	To update from CVS, re-build, and re-install ntpd:

		# cd src
		# cvs update -r <branch_name> -d -P dist/ntp/ntpd/ntp_request.c
		# cd usr.sbin/ntp/ntpd
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


Thanks To
=========

Dmitri Vinokurov and Robin Park for discovering and reporting the vulnerability,
and Frank Kardel for fixing it in NetBSD.


Revision History
================

	2010-04-27	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-005.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .

Copyright 2010, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2010-005.txt,v 1.1 2010/04/25 23:25:30 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)

iQIcBAEBAgAGBQJL1flpAAoJEAZJc6xMSnBuHFAP/A+uCEy1p6SUPzA47tn4j1XC
UKctSH0F3KCtIp28HLJdqr5jfFiFlKfN4bQYPVK8cmALW/RHFvf4H+b2WR7Xnrvz
quLpbodMgEA16VRSSZKAR4WPl49znnoJOf3SeWmOcx+tj89/t83VTLJX/mGwxdLo
fOHqmmQe0th7oAqtegpW0RfO3B5/5Zq4zOoZbp3M3NJHDEYD1YY6u9TufLIbQ4k0
l7tRoEevG2sputJKGzlLkR6NGS2r3ZGjnNrmLMBvndI6NieIW/k7NKNJtJz+sPtP
6h8jFdCJjB7Vwf3Dcart1M3Vu3CWJXdlOycYAli8BSSzhFyE6abu5VyiKTSPJbgI
OOaJqLTYR7ZQY0cMYAaUd89MLVX7SF4bzKbYdpflrt2M1SmMY7SnO0vM97X7MplE
Mu+zCqzNnWwHMB1I4SK0jsSu1KH13ZNcZLo+2xcvuWxFQt+zU3uEtuitAYfm9wRY
BZdcihWBbmdaZJyE8wZFtujqqcaEX6cGtEty09SHgRL5VH3XvcuJf/5Ls+jVO1a4
61rd5byxJIM1a32dgamg48qpkE63LRy5GHavn67r391bAoWmUrfHt+9p7z/8IpfZ
KKdnw+R3a1t0BGH/yPcqVVD8oXY/xn80q0rqqqQxgI6ospqPHc3/jDUwnLRRI4Ae
OFFiV8sDaPu1BSURxu1a
=k9Vv
-----END PGP SIGNATURE-----