Is there any security information about CVE-2013-5211 ?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 4
  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • ntp

Issue

  • How to deal with CVE-2013-5211?

  • Why does monlist in NTP allow remote attackers to cause a denial of service (DOS Attack)?

  • The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.

Resolution

  • This issue does not affect the default configuration of ntp packages shipped with Red Hat Enterprise Linux, which does not allow remote ntpd control queries.

  • User changing ntpd access control configuration should consider reviewing additional information provided via Bug 1047854 to avoid exposing their systems to this traffic amplification issue.

  • Disable the monitor functionality in ntpd if you had previously changed the default configuration to enable it.

There are two workarounds

  • Firstly, use noquery in your default restrictions to block all status queries. Add the noquery directive to the restrict default line in the system’s /etc/ntp.conf , as shown below:
# vi /etc/ntp/ntp.conf
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
  • Secondly, to disable monlist functionality on a public-facing NTP server that cannot be updated to 4.2.7. Use disable monitor to disable the ntpdc -c monlist command while still allowing other status queries.
# vi /etc/ntp.conf
disable monitor

References

  1. support.ntp.org

  2. CVE-2013-5211

  3. NVD definition

  4. MITRE dictionary

Root Cause

  • The NTP service supports a monitoring service that allows administrators to query the server for traffic counts of connected clients. This information is provided via the monlist command.

  • The basic attack technique consists of an attacker sending a get monlist request to a vulnerable NTP server, with the source address spoofed to be the victim’s address.

Diagnostic Steps

  • Entering the following commands can help users verify if the REQ_MON_GETLIST and REQ_MON_GETLIST_1 responses of NTP are currently enabled:
 ntpq -c rv <NTP_SERVER>
 ntpdc -c sysinfo <NTP_SERVER>
 ntpdc -n -c monlist <NTP_SERVER>
  • Component
  • ntp

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments