Bug 1047854 - (CVE-2013-5211) CVE-2013-5211 ntp: DoS in monlist feature in ntpd
CVE-2013-5211 ntp: DoS in monlist feature in ntpd
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20100420,repor...
: Security
Depends On: 1047855 1047856
Blocks: 1047857
  Show dependency treegraph
 
Reported: 2014-01-02 06:53 EST by Ratul Gupta
Modified: 2015-10-15 17:45 EDT (History)
19 users (show)

See Also:
Fixed In Version: ntp 4.2.7p26
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-13 06:50:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 690293 None None None Never

  None (edit)
Description Ratul Gupta 2014-01-02 06:53:08 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-5211 to the following vulnerability:

Name: CVE-2013-5211
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211
Assigned: 20130815
Reference: http://openwall.com/lists/oss-security/2013/12/30/6
Reference: http://openwall.com/lists/oss-security/2013/12/30/7
Reference: http://lists.ntp.org/pipermail/pool/2011-December/005616.html
Reference: http://bugs.ntp.org/show_bug.cgi?id=1532
Reference: http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ntp-dev-4.2.7p26.tar.gz

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.
Comment 2 Ratul Gupta 2014-01-02 06:54:44 EST
Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1047855]
Comment 3 Miroslav Lichvar 2014-01-02 07:23:04 EST
The default ntp.conf included in our ntp packages has noquery in the default restrict line, which blocks the monlist command.
Comment 5 Vincent Danen 2014-01-15 19:57:09 EST
Further to what Miroslav noted in comment #3, this can be verified by checking that the following are set in /etc/ntp.conf, which is the default in Red Hat Enterprise Linux and Fedora:

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery


External References:

https://www.us-cert.gov/ncas/alerts/TA14-013A
Comment 7 Vincent Danen 2014-01-15 20:19:09 EST
Note also that this is corrected in the upstream 4.2.7p26 version, by the removal of the monlist command, as noted in the Changelog [1]:

* [Bug 1532] Remove ntpd support for ntpdc's monlist in favor of ntpq's
  mrulist.

[1] http://archive.ntp.org/ntp4/ChangeLog-dev

The diff between 4.2.7p25 and 4.2.7p26 is not insignificant, however, and there's quite a few unrelated changes in p26 as well.  I am unsure what upstream plans to do (if anything) about the stable 4.2.6 version.
Comment 8 Tomas Hoger 2014-01-16 04:13:24 EST
(In reply to Vincent Danen from comment #7)
> The diff between 4.2.7p25 and 4.2.7p26 is not insignificant, however, and
> there's quite a few unrelated changes in p26 as well.

This should be better, as it's link to relevant upstream bk commit:

http://bk.ntp.org/ntp-dev/?PAGE=patch&REV=4bd01f89Yo9e2iweK89Ds0L52SCxGw

Upstream security page has a note for this issue now:

http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using
Comment 27 Tomas Hoger 2014-02-11 10:15:59 EST
The ntp packages as shipped with Red Hat Enterprise Linux are not affected by this issue in their default configuration.  The configuration defines the following default restrictions:

  restrict default kod nomodify notrap nopeer noquery
  restrict -6 default kod nomodify notrap nopeer noquery

These restrictions include 'noquery', which causes NTP daemon control command queries, including 'monlist' specifically pointed out by this CVE, to be rejected.  The query access is only allowed from localhost in the default configuration.

Users are discouraged from allowing query by default, query access can be granted to specific hosts if needed (using 'restrict' access control command).  Alternatively, users can disable monitor functionality using 'disable monitor' command in the /etc/ntp.conf.  Note that use of 'restrict' command with 'limited' flag also enables monitor functionality even when 'disable monitor' command is used.

Upstream fix implemented in version 4.2.7p26 is removal of support for 'monlist' ntpdc command, and introduction of replacement 'mrulist' ntpq command, for which additional verification is done to avoid request packet source address spoofing, and to limit the size of responses.  Note that version 4.2.7 is still the development version upstream.  The latest production release is 4.2.6 that does not include the above fix.

Additionally, the fix in 4.2.7p26 only addresses the 'monlist' command, which has the highest amplification ratio.  Other ntpdc (NTP mode 7) and ntpq (NTP mode 6) commands may be used in the future for amplification attacks with lower amplification ratio.  Users who do not disable these queries are encouraged to review their configuration and enable restrictions to reduce the risk of future attacks using other commands.

Red Hat currently does not plan to modify ntp packages in released versions of Red Hat Enterprise Linux to remove monlist support.  Future updates may change the default configuration to use 'disable monitor' in addition to 'restrict default noquery'.

For additional information on various ntp configuration commands, refer to the following manual pages: ntp_acc(5), ntp_misc(5), ntpdc(8) and ntpq(8).
Comment 29 Tomas Hoger 2014-02-13 06:50:11 EST
Statement:

This issue does not affect the default configuration of ntp packages shipped with Red Hat Enterprise Linux, which does not allow remote ntpd control queries. User changing ntpd access control configuration should consider reviewing additional information provided via https://bugzilla.redhat.com/show_bug.cgi?id=1047854#c27 to avoid exposing their systems to this traffic amplification issue.

Note You need to log in before you can comment on or make changes to this bug.