Is there any security information about CVE-2013-5211 ?
Environment
- Red Hat Enterprise Linux 4
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- ntp
Issue
-
How to deal with CVE-2013-5211?
-
Why does monlist in NTP allow remote attackers to cause a denial of service (DOS Attack)?
-
The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.
Resolution
-
This issue does not affect the default configuration of ntp packages shipped with Red Hat Enterprise Linux, which does not allow remote ntpd control queries.
-
User changing ntpd access control configuration should consider reviewing additional information provided via Bug 1047854 to avoid exposing their systems to this traffic amplification issue.
-
Disable the monitor functionality in ntpd if you had previously changed the default configuration to enable it.
There are two workarounds
- Firstly, use
noquery
in your default restrictions to block all status queries. Add thenoquery
directive to therestrict default
line in the system’s/etc/ntp.conf
, as shown below:
# vi /etc/ntp/ntp.conf
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
- Secondly, to disable
monlist
functionality on a public-facing NTP server that cannot be updated to 4.2.7. Usedisable monitor
to disable thentpdc -c monlist
command while still allowing other status queries.
# vi /etc/ntp.conf
disable monitor
References
Root Cause
-
The NTP service supports a monitoring service that allows administrators to query the server for traffic counts of connected clients. This information is provided via the
monlist
command. -
The basic attack technique consists of an attacker sending a
get monlist
request to a vulnerable NTP server, with the source address spoofed to be the victim’s address.
Diagnostic Steps
- Entering the following commands can help users verify if the
REQ_MON_GETLIST
andREQ_MON_GETLIST_1
responses of NTP are currently enabled:
ntpq -c rv <NTP_SERVER>
ntpdc -c sysinfo <NTP_SERVER>
ntpdc -n -c monlist <NTP_SERVER>
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments