News from 2009-12-10


LANTIME Firmware Update: NTP Security Problem with Mode 7 Packets


On December 8, 2009 the NTP Public Services Project announced a bugfix release that includes a fix for a recently discovered problematic behavior of ntpd. After receiving the announcement, Meinberg immediately started to investigate if this problem affects the NTP version running on our LANTIME NTP timeserver appliances.

The test showed that the problem described in the NTP bugtracker article effectively affects our LANTIME products.

The faulty behavior of the NTP daemon can be provoked by sending a malformed mode 7 NTP control packet. The existing Firmware Updates V5.30g and V4.57 include a fix for this problem. If installing a firmware update is not immediately possible, Meinberg recommends to apply a simple configuration change that effectively eliminates the problem:

In order to switch off processing of NTP control and query packets, two so-called restrict statements have to be inserted into the NTP configuration file. This can be done using the "Edit Additional Network Configuration" function on the "NTP" page of the web interface. This function opens an editor allowing changes to a file called "ntpconf.add". In order to switch off mode 6 and 7 packet processing from remote systems, the following two lines have to be inserted into this file:

restrict default noquery
restrict 127.0.0.1

The usage of mode 6 NTP queries by utilities like ntpq or the Meinberg NTP Timeserver Monitor needs to be specifically allowed for each IP address. That can be achieved by using additional restrict statements. If for example an administrator PC with the IP address 192.168.0.122 should be allowed to send mode 6/mode 7 packets, the following line has to be inserted into the above mentioned configuration file:
restrict 192.168.0.122

Please note that this will also allow to exploit the NTP bug 1331 security problem by spoofing the source address of a malformed packet and use one of the IP addresses that have been granted mode 6/7 access as described above.

For this reason Meinberg provides firmware update files for all V4 and V5 firmware versions on their webservers, in which a fix for bug 1331 is included that completely eliminates this security problem.

To find out which firmware generation is installed on your LANTIME devices, please logon to the web interface and look at the "Lantime" line in the main menu. This line shows the firmware version, which can either be a "V4.xx" or a "V5.xx" string. For V4 Firmware releases, the "xx" represents a two-digit number, with V5 firmware releases this number can also be extended with a single lowercase character that represents the bugfix release version.

If your LANTIME device runs a pre-V4 firmware (devices that are 5 years or older), please contact Meinberg Support for further assistance.

For V4 you can download a Firmware Update image to V4.57 from here:
https://www.meinberg.de/download/firmware/lantime/lt_update_v405_to_v457_Meinberg.tgz

On V5 Firmware versions starting from 5.24 the following update to 5.30g can be directly installed:
https://www.meinberg.de/download/firmware/lantime/v5/5.10-to-5.30g.upd

If your LANTIME devices run a V5 firmware before 5.24, an intermediate update to 5.28j is required, before you install the above mentioned 5.30g:
https://www.meinberg.de/download/firmware/lantime/v5/5.10-to-5.28j.upd
Please note that this 5.28j update does not include a fix for the described security problem, it is a requirement to be able to install the 5.30g release including the fix.

Installing a firmware update on your LANTIME can be performed using the web interface by following these simple steps:

  1. Logon to the web interface
  2. Open the "Local" page
  3. In the "Firmware Update" section, use the "Browse" button to select the download file that you downloaded using one of the above mentioned links
  4. Use the "Start Firmware Update" button to start the update procedure and follow the on-screen instructions
If you are unsure or have additional questions regarding the update procedure, please contact your Meinberg Support, use our Firmware-Update page.

Due to the fact that this bug affects a wide range of NTP versions, Meinberg recommends to check all NTP versions installed on your servers and workstations and update the installed NTP software, if required. We expect that most OS vendors including an affected version of NTP will provide a security update as soon as possible.


Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact Meinberg Mail Contact