Bug 1805392 (CVE-2014-5209) - CVE-2014-5209 ntp: Information Disclosure vulnerability via GET_RESTRICT control message
Summary: CVE-2014-5209 ntp: Information Disclosure vulnerability via GET_RESTRICT cont...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-5209
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1790330
TreeView+ depends on / blocked
 
Reported: 2020-02-20 17:31 UTC by Pedro Sampaio
Modified: 2020-02-25 15:30 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered where an information disclosure is present in the Network Time Protocol (NTP) through the GET_RESTRICT control message, which can be sent with the reslist command of the ntpdc tool. An attacker can use this message to obtain sensitive information such as internal IP addresses and NTP’s configuration settings.
Clone Of:
Environment:
Last Closed: 2020-02-24 15:50:04 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2020-02-20 17:31:07 UTC
An Information Disclosure vulnerability exists in NTP 4.2.7p25 private (mode 6/7) messages via a GET_RESTRICT control message, which could let a malicious user obtain sensitive information.

References:

https://blog.rapid7.com/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks/

Comment 3 Riccardo Schirone 2020-02-24 15:25:36 UTC
The ntp packages as shipped with Red Hat Enterprise Linux are not affected by this issue in their default configuration.  The configuration defines the following default restrictions:

  restrict default nomodify notrap nopeer noquery
  restrict -6 default nomodify notrap nopeer noquery

These restrictions include 'noquery', which causes NTP daemon control command queries, including 'reslist' specifically pointed out by this CVE, to be rejected.  The query access is only allowed from localhost in the default configuration.

Users are discouraged from allowing query by default, query access can be granted to specific hosts if needed (using 'restrict' access control command). Users who do not disable these queries are encouraged to review their configuration and enable restrictions to reduce the risk of future attacks using this or other commands.

Comment 4 Riccardo Schirone 2020-02-24 15:30:16 UTC
Reference:
http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=4eae26a46gF81Tr6RRrYnf6jWhVo0g

There is no real fix for this issue, as this is mostly a configuration problem. You should not allow all hosts to perform mode7 queries to your ntp server. Upstream has chosen to disable mode 7 by default. Red Hat Enterprise Linux, as already noted in comment 3, disables these kind of queries by using the `restrict noquery` option.

Comment 5 Riccardo Schirone 2020-02-24 15:34:16 UTC
The GET_RESTRICT control message, that is generated by doing e.g. ntpdc -c reslit <host>, reports the server's restriction list. This may be considered sensitive information as it may contain internal IP addresses or give details about the ntp server configuration.

Comment 6 Product Security DevOps Team 2020-02-24 15:50:04 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2014-5209

Comment 8 Riccardo Schirone 2020-02-24 16:13:51 UTC
Statement:

This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, 7 in their default configurations. Red Hat Enterprise Linux uses the `restrict noquery` option by default, which denies ntpdc queries. No proper fix is available for this issue upstream, apart from disabling these kind of queries by default or denying them through the `restrict` access control command specified in /etc/ntp.conf. Users are adviced to use `noquery` in their configurations and allow them only from a trusted set of network addresses.

Comment 9 Riccardo Schirone 2020-02-24 16:13:53 UTC
Mitigation:

If not already present, add `noquery` option to the `restrict` access control command specified in /etc/ntp.conf. Red Hat Enterprise Linux 7 is shipped by default with the following setting:

   restrict default nomodify notrap nopeer noquery


Note You need to log in before you can comment on or make changes to this bug.