Bug 1805392 (CVE-2014-5209)
| Summary: | CVE-2014-5209 ntp: Information Disclosure vulnerability via GET_RESTRICT control message | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | gwync, linville, mlichvar, rschiron |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was discovered where an information disclosure is present in the Network Time Protocol (NTP) through the GET_RESTRICT control message, which can be sent with the reslist command of the ntpdc tool. An attacker can use this message to obtain sensitive information such as internal IP addresses and NTP’s configuration settings.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-02-24 15:50:04 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1790330 | ||
|
Description
Pedro Sampaio
2020-02-20 17:31:07 UTC
The ntp packages as shipped with Red Hat Enterprise Linux are not affected by this issue in their default configuration. The configuration defines the following default restrictions: restrict default nomodify notrap nopeer noquery restrict -6 default nomodify notrap nopeer noquery These restrictions include 'noquery', which causes NTP daemon control command queries, including 'reslist' specifically pointed out by this CVE, to be rejected. The query access is only allowed from localhost in the default configuration. Users are discouraged from allowing query by default, query access can be granted to specific hosts if needed (using 'restrict' access control command). Users who do not disable these queries are encouraged to review their configuration and enable restrictions to reduce the risk of future attacks using this or other commands. Reference: http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=4eae26a46gF81Tr6RRrYnf6jWhVo0g There is no real fix for this issue, as this is mostly a configuration problem. You should not allow all hosts to perform mode7 queries to your ntp server. Upstream has chosen to disable mode 7 by default. Red Hat Enterprise Linux, as already noted in comment 3, disables these kind of queries by using the `restrict noquery` option. The GET_RESTRICT control message, that is generated by doing e.g. ntpdc -c reslit <host>, reports the server's restriction list. This may be considered sensitive information as it may contain internal IP addresses or give details about the ntp server configuration. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2014-5209 Statement: This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, 7 in their default configurations. Red Hat Enterprise Linux uses the `restrict noquery` option by default, which denies ntpdc queries. No proper fix is available for this issue upstream, apart from disabling these kind of queries by default or denying them through the `restrict` access control command specified in /etc/ntp.conf. Users are adviced to use `noquery` in their configurations and allow them only from a trusted set of network addresses. Mitigation: If not already present, add `noquery` option to the `restrict` access control command specified in /etc/ntp.conf. Red Hat Enterprise Linux 7 is shipped by default with the following setting: restrict default nomodify notrap nopeer noquery |