An Information Disclosure vulnerability exists in NTP 4.2.7p25 private (mode 6/7) messages via a GET_RESTRICT control message, which could let a malicious user obtain sensitive information. References: https://blog.rapid7.com/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks/
The ntp packages as shipped with Red Hat Enterprise Linux are not affected by this issue in their default configuration. The configuration defines the following default restrictions: restrict default nomodify notrap nopeer noquery restrict -6 default nomodify notrap nopeer noquery These restrictions include 'noquery', which causes NTP daemon control command queries, including 'reslist' specifically pointed out by this CVE, to be rejected. The query access is only allowed from localhost in the default configuration. Users are discouraged from allowing query by default, query access can be granted to specific hosts if needed (using 'restrict' access control command). Users who do not disable these queries are encouraged to review their configuration and enable restrictions to reduce the risk of future attacks using this or other commands.
Reference: http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=4eae26a46gF81Tr6RRrYnf6jWhVo0g There is no real fix for this issue, as this is mostly a configuration problem. You should not allow all hosts to perform mode7 queries to your ntp server. Upstream has chosen to disable mode 7 by default. Red Hat Enterprise Linux, as already noted in comment 3, disables these kind of queries by using the `restrict noquery` option.
The GET_RESTRICT control message, that is generated by doing e.g. ntpdc -c reslit <host>, reports the server's restriction list. This may be considered sensitive information as it may contain internal IP addresses or give details about the ntp server configuration.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2014-5209
Statement: This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, 7 in their default configurations. Red Hat Enterprise Linux uses the `restrict noquery` option by default, which denies ntpdc queries. No proper fix is available for this issue upstream, apart from disabling these kind of queries by default or denying them through the `restrict` access control command specified in /etc/ntp.conf. Users are adviced to use `noquery` in their configurations and allow them only from a trusted set of network addresses.
Mitigation: If not already present, add `noquery` option to the `restrict` access control command specified in /etc/ntp.conf. Red Hat Enterprise Linux 7 is shipped by default with the following setting: restrict default nomodify notrap nopeer noquery