CVE-2020-13817
📋 TL;DR
This vulnerability in ntpd allows remote attackers to cause denial of service or manipulate system time by spoofing NTP packets. It affects systems using unauthenticated IPv4 time sources with vulnerable ntpd versions. Off-path attackers who can query the victim's ntpd instance can exploit this.
💻 Affected Systems
- ntp
- ntpd
📦 What is this software?
Leap by Opensuse
Leap by Opensuse
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Solidfire by Netapp
⚠️ Risk & Real-World Impact
Worst Case
System time manipulation leading to service disruptions, authentication failures, or data corruption; ntpd daemon crash causing time synchronization loss.
Likely Case
Denial of service through ntpd daemon exit, disrupting time synchronization for dependent services.
If Mitigated
Minimal impact if using authenticated time sources or patched versions; time synchronization remains stable.
🎯 Exploit Status
Exploitation requires predicting transmit timestamps and ability to query victim's ntpd; detailed technical analysis available in NTP Bug 3596.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ntp 4.2.8p14 and 4.3.100
Vendor Advisory: http://support.ntp.org/bin/view/Main/NtpBug3596
Restart Required: Yes
Instructions:
1. Update ntpd package to version 4.2.8p14 or 4.3.100. 2. Restart ntpd service. 3. Verify version with 'ntpd --version'.
🔧 Temporary Workarounds
Use authenticated time sources
linuxConfigure ntpd to use authenticated NTP sources instead of unauthenticated IPv4 sources.
Edit /etc/ntp.conf to include 'server <source> key <key>' lines with authentication
Restrict NTP queries
linuxLimit who can query the ntpd instance using firewall rules or ntpd restrictions.
iptables -A INPUT -p udp --dport 123 -s trusted_network -j ACCEPT
iptables -A INPUT -p udp --dport 123 -j DROP
🧯 If You Can't Patch
- Switch to authenticated NTP time sources in ntpd configuration
- Implement network segmentation to restrict access to ntpd port 123/UDP
🔍 How to Verify
Check if Vulnerable:
Check ntpd version with 'ntpd --version' or 'rpm -q ntp'/'dpkg -l ntp' and compare to vulnerable versions.Check Version:
ntpd --version 2>&1 | head -1Verify Fix Applied:
Confirm ntpd version is 4.2.8p14 or higher, or 4.3.100 or higher, and service is running.📡 Detection & Monitoring
Log Indicators:
- Unexpected ntpd daemon exits in system logs
- Time synchronization errors or large time jumps in logs
Network Indicators:
- Spoofed NTP packets from unexpected sources to port 123/UDP
- Abnormal query patterns to ntpd
SIEM Query:
source_port:123 AND (event_type:denial OR event_type:crash) OR time_change > threshold🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html
- http://support.ntp.org/bin/view/Main/NtpBug3596
- https://bugs.ntp.org/show_bug.cgi?id=3596
- https://security.gentoo.org/glsa/202007-12
- https://security.netapp.com/advisory/ntap-20200625-0004/
- https://www.oracle.com/security-alerts/cpujan2022.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html
- http://support.ntp.org/bin/view/Main/NtpBug3596
- https://bugs.ntp.org/show_bug.cgi?id=3596
- https://security.gentoo.org/glsa/202007-12
- https://security.netapp.com/advisory/ntap-20200625-0004/
- https://www.oracle.com/security-alerts/cpujan2022.html
