Bug 1047854 (CVE-2013-5211)
| Summary: | CVE-2013-5211 ntp: DoS in monlist feature in ntpd | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Ratul Gupta <ratulg> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | asn, btotty, collura, donhoover, dwmw2, fweimer, jkurik, knoha, mdshaikh, mlichvar, moshiro, mvanderw, pertusus, pfrields, rhbugs, sardella, security-response-team, seldridg, vchepkov |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ntp 4.2.7p26 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-02-13 11:50:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1047855, 1047856 | ||
| Bug Blocks: | 1047857 | ||
|
Description
Ratul Gupta
2014-01-02 11:53:08 UTC
Created ntp tracking bugs for this issue: Affects: fedora-all [bug 1047855] The default ntp.conf included in our ntp packages has noquery in the default restrict line, which blocks the monlist command. Further to what Miroslav noted in comment #3, this can be verified by checking that the following are set in /etc/ntp.conf, which is the default in Red Hat Enterprise Linux and Fedora: restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery External References: https://www.us-cert.gov/ncas/alerts/TA14-013A Note also that this is corrected in the upstream 4.2.7p26 version, by the removal of the monlist command, as noted in the Changelog [1]: * [Bug 1532] Remove ntpd support for ntpdc's monlist in favor of ntpq's mrulist. [1] http://archive.ntp.org/ntp4/ChangeLog-dev The diff between 4.2.7p25 and 4.2.7p26 is not insignificant, however, and there's quite a few unrelated changes in p26 as well. I am unsure what upstream plans to do (if anything) about the stable 4.2.6 version. (In reply to Vincent Danen from comment #7) > The diff between 4.2.7p25 and 4.2.7p26 is not insignificant, however, and > there's quite a few unrelated changes in p26 as well. This should be better, as it's link to relevant upstream bk commit: http://bk.ntp.org/ntp-dev/?PAGE=patch&REV=4bd01f89Yo9e2iweK89Ds0L52SCxGw Upstream security page has a note for this issue now: http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using The ntp packages as shipped with Red Hat Enterprise Linux are not affected by this issue in their default configuration. The configuration defines the following default restrictions: restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery These restrictions include 'noquery', which causes NTP daemon control command queries, including 'monlist' specifically pointed out by this CVE, to be rejected. The query access is only allowed from localhost in the default configuration. Users are discouraged from allowing query by default, query access can be granted to specific hosts if needed (using 'restrict' access control command). Alternatively, users can disable monitor functionality using 'disable monitor' command in the /etc/ntp.conf. Note that use of 'restrict' command with 'limited' flag also enables monitor functionality even when 'disable monitor' command is used. Upstream fix implemented in version 4.2.7p26 is removal of support for 'monlist' ntpdc command, and introduction of replacement 'mrulist' ntpq command, for which additional verification is done to avoid request packet source address spoofing, and to limit the size of responses. Note that version 4.2.7 is still the development version upstream. The latest production release is 4.2.6 that does not include the above fix. Additionally, the fix in 4.2.7p26 only addresses the 'monlist' command, which has the highest amplification ratio. Other ntpdc (NTP mode 7) and ntpq (NTP mode 6) commands may be used in the future for amplification attacks with lower amplification ratio. Users who do not disable these queries are encouraged to review their configuration and enable restrictions to reduce the risk of future attacks using other commands. Red Hat currently does not plan to modify ntp packages in released versions of Red Hat Enterprise Linux to remove monlist support. Future updates may change the default configuration to use 'disable monitor' in addition to 'restrict default noquery'. For additional information on various ntp configuration commands, refer to the following manual pages: ntp_acc(5), ntp_misc(5), ntpdc(8) and ntpq(8). Statement: This issue does not affect the default configuration of ntp packages shipped with Red Hat Enterprise Linux, which does not allow remote ntpd control queries. User changing ntpd access control configuration should consider reviewing additional information provided via https://bugzilla.redhat.com/show_bug.cgi?id=1047854#c27 to avoid exposing their systems to this traffic amplification issue. |