Common Vulnerabilities and Exposures assigned an identifier CVE-2013-5211 to the following vulnerability: Name: CVE-2013-5211 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211 Assigned: 20130815 Reference: http://openwall.com/lists/oss-security/2013/12/30/6 Reference: http://openwall.com/lists/oss-security/2013/12/30/7 Reference: http://lists.ntp.org/pipermail/pool/2011-December/005616.html Reference: http://bugs.ntp.org/show_bug.cgi?id=1532 Reference: http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ntp-dev-4.2.7p26.tar.gz The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.
Created ntp tracking bugs for this issue: Affects: fedora-all [bug 1047855]
The default ntp.conf included in our ntp packages has noquery in the default restrict line, which blocks the monlist command.
Further to what Miroslav noted in comment #3, this can be verified by checking that the following are set in /etc/ntp.conf, which is the default in Red Hat Enterprise Linux and Fedora: restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery External References: https://www.us-cert.gov/ncas/alerts/TA14-013A
Note also that this is corrected in the upstream 4.2.7p26 version, by the removal of the monlist command, as noted in the Changelog [1]: * [Bug 1532] Remove ntpd support for ntpdc's monlist in favor of ntpq's mrulist. [1] http://archive.ntp.org/ntp4/ChangeLog-dev The diff between 4.2.7p25 and 4.2.7p26 is not insignificant, however, and there's quite a few unrelated changes in p26 as well. I am unsure what upstream plans to do (if anything) about the stable 4.2.6 version.
(In reply to Vincent Danen from comment #7) > The diff between 4.2.7p25 and 4.2.7p26 is not insignificant, however, and > there's quite a few unrelated changes in p26 as well. This should be better, as it's link to relevant upstream bk commit: http://bk.ntp.org/ntp-dev/?PAGE=patch&REV=4bd01f89Yo9e2iweK89Ds0L52SCxGw Upstream security page has a note for this issue now: http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using
The ntp packages as shipped with Red Hat Enterprise Linux are not affected by this issue in their default configuration. The configuration defines the following default restrictions: restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery These restrictions include 'noquery', which causes NTP daemon control command queries, including 'monlist' specifically pointed out by this CVE, to be rejected. The query access is only allowed from localhost in the default configuration. Users are discouraged from allowing query by default, query access can be granted to specific hosts if needed (using 'restrict' access control command). Alternatively, users can disable monitor functionality using 'disable monitor' command in the /etc/ntp.conf. Note that use of 'restrict' command with 'limited' flag also enables monitor functionality even when 'disable monitor' command is used. Upstream fix implemented in version 4.2.7p26 is removal of support for 'monlist' ntpdc command, and introduction of replacement 'mrulist' ntpq command, for which additional verification is done to avoid request packet source address spoofing, and to limit the size of responses. Note that version 4.2.7 is still the development version upstream. The latest production release is 4.2.6 that does not include the above fix. Additionally, the fix in 4.2.7p26 only addresses the 'monlist' command, which has the highest amplification ratio. Other ntpdc (NTP mode 7) and ntpq (NTP mode 6) commands may be used in the future for amplification attacks with lower amplification ratio. Users who do not disable these queries are encouraged to review their configuration and enable restrictions to reduce the risk of future attacks using other commands. Red Hat currently does not plan to modify ntp packages in released versions of Red Hat Enterprise Linux to remove monlist support. Future updates may change the default configuration to use 'disable monitor' in addition to 'restrict default noquery'. For additional information on various ntp configuration commands, refer to the following manual pages: ntp_acc(5), ntp_misc(5), ntpdc(8) and ntpq(8).
Statement: This issue does not affect the default configuration of ntp packages shipped with Red Hat Enterprise Linux, which does not allow remote ntpd control queries. User changing ntpd access control configuration should consider reviewing additional information provided via https://bugzilla.redhat.com/show_bug.cgi?id=1047854#c27 to avoid exposing their systems to this traffic amplification issue.