Login Sign Up

CVE-2023-4012

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2023-4012 is a denial-of-service vulnerability in ntpd where servers without NTS (Network Time Security) certificates crash when receiving NTS-enabled client requests. This affects NTP servers running vulnerable versions of ntpd or ntpsec that haven't been configured with NTS certificates. The crash disrupts time synchronization services.

💻 Affected Systems

Products:
  • ntpd
  • ntpsec
Versions: ntpsec versions before 1.2.3, ntpd versions with NTS support but without proper certificate configuration
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ✅ No
Notes: Only affects servers with NTS support compiled in but not configured with certificates. Standard NTP configurations without NTS are not vulnerable.

📦 What is this software?

Ntpsec by Ntpsec

View all CVEs affecting Ntpsec →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious actors could crash all vulnerable NTP servers in an organization, disrupting time synchronization across all dependent systems and services, potentially causing authentication failures, log corruption, and application malfunctions.

🟠

Likely Case

Accidental NTS client requests or misconfigured clients cause NTP server crashes, resulting in temporary time synchronization loss until services restart automatically or manually.

🟢

If Mitigated

With proper network segmentation and NTS configuration, impact is limited to isolated test environments or specific network segments.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted NTS client requests to vulnerable servers. The bug report includes reproduction steps.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ntpsec 1.2.3

Vendor Advisory: https://gitlab.com/NTPsec/ntpsec/-/issues/794

Restart Required: Yes

Instructions:

1. Update ntpsec to version 1.2.3 or later using your package manager. 2. For ntpd, apply vendor patches if available. 3. Restart the NTP service.

🔧 Temporary Workarounds

Disable NTS support

linux

Remove NTS compilation options or disable NTS functionality in configuration

Recompile without NTS support or set 'nts enable no' in ntp.conf

Network filtering

linux

Block NTS client requests at network perimeter

iptables -A INPUT -p udp --dport 123 -m string --hex-string '|0300|' --algo bm -j DROP

🧯 If You Can't Patch

  • Implement network segmentation to isolate NTP servers from untrusted networks
  • Monitor NTP service health and implement automatic restart mechanisms

🔍 How to Verify

Check if Vulnerable:

Check if NTP server crashes when receiving NTS client requests (mode 3 packets). Test with: ntpq -c 'rv' to check NTS status.

Check Version:

ntpsec-version || ntpq -c version

Verify Fix Applied:

After patching, verify NTP service remains running when receiving NTS requests. Check version with: ntpsec-version or ntpq -c version.

📡 Detection & Monitoring

Log Indicators:

  • NTP service crash logs
  • segmentation fault errors in system logs
  • time synchronization failures

Network Indicators:

  • Unexpected NTS client requests to non-NTS servers
  • spike in NTP protocol mode 3 packets

SIEM Query:

source="ntp.log" AND ("crash" OR "segfault" OR "abort")

📊 Metadata

CVE ID: CVE-2023-4012
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-372
Published: August 7, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON