SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   NetBSD Vendors:   NetBSD
NetBSD ntpd Query Function Lets Remote Users Conduct Amplified Denial of Service Attacks
SecurityTracker Alert ID:  1029565
SecurityTracker URL:  http://securitytracker.com/id/1029565
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 8 2014
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.1, 5.2, 6.0, 6.1
Description:   A vulnerability was reported in NetBSD. A remote user can conduct amplified denial of service attacks.

A remote user can exploit an administrative query function (monlist) in ntpd to amplify distributed denial of service (DDoS) attacks against other sites.

Erik Fair reported this vulnerability.

Impact:   A remote user can conduct amplified denial of service attacks against other sites.
Solution:   The vendor has issued a fix (that removes the vulnerable function).

The vendor's advisory is available at:

http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-002.txt.asc

Vendor URL:  ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-002.txt.asc (Links to External Site)
Cause:   Not specified

Message History:   None.


 Source Message Contents

Subject:  NetBSD Security Advisory 2014-002: ntpd used as DDoS amplifier

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2014-002
		=================================

Topic:		ntpd used as DDoS amplifier


Version:	NetBSD-current:		source prior to Dec 27th, 2013
		NetBSD 6.1:		affected
		NetBSD 6.0 - 6.0.2:	affected
		NetBSD 5.1 - 5.1.2:	affected
		NetBSD 5.2:		affected

Severity:	DDoS participation

Fixed:		NetBSD-current:		Dec 27th, 2013
		NetBSD-6-0 branch:	Jan 6th, 2014
		NetBSD-6-1 branch:	Jan 6th, 2014
		NetBSD-6 branch:	Jan 6th, 2014
		NetBSD-5-2 branch:	Jan 6th, 2014
		NetBSD-5-1 branch:	Jan 6th, 2014
		NetBSD-5 branch:	Jan 6th, 2014

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

An administrative query function is getting used by
attackers to use ntp servers as traffic amplifiers.
The new version no longer offers this query option.


Technical Details
=================

The monlist function, which is available in ntp prior to 4.2.7 to
requestors who are allowed to 'query', yields potentially sizeable
traffic in response to a small query packet, and can thus get used
for amplification attacks.


Solutions and Workarounds
=========================

Workaround:
in ntp.conf, setting 'restrict default noquery' will prevent
amplification to random targets (the remaining targets would
be those allowed to query by their own restrict entries).

Note that this setting does not disallow time synchronization,
but instead querying for the list of peers and other administrative
and informative data. See /usr/share/doc/html/ntp/accopt.html
for information on ntpd access control configuration options.

Solution:
Updating the ntpd binary so it no longer offers the abused function,
as well as updating ntp.conf so it offers less attack surface.

ntpd source: update to
HEAD		src/external/bsd/ntp/dist/ntpd/ntp_request.c
netbsd-6	src/external/bsd/ntp/dist/ntpd/ntp_request.c 1.7.2.1
netbsd-6-1	src/external/bsd/ntp/dist/ntpd/ntp_request.c 1.7.16.1
netbsd-6-0	src/external/bsd/ntp/dist/ntpd/ntp_request.c 1.7.8.1
netbsd-5	src/dist/ntp/ntpd/ntp_request.c 1.8.4.2
netbsd-5-2	src/dist/ntp/ntpd/ntp_request.c 1.8.4.1.6.1
netbsd-5-1	src/dist/ntp/ntpd/ntp_request.c 1.8.4.1.2.1

default configuration file update:
HEAD		src/etc/ntp.conf 1.18
netbsd-6	src/etc/ntp.conf 1.14.2.1
netbsd-6-1	src/etc/ntp.conf 1.14.16.1
netbsd-6-0	src/etc/ntp.conf 1.14.8.1
netbsd-5	src/etc/ntp.conf 1.9.20.1
netbsd-5-2	src/etc/ntp.conf 1.9.36.1
netbsd-5-1	src/etc/ntp.conf 1.9.28.1


Thanks To
=========

Thanks to Erik Fair for bringing the issue to our attention and
suggesting a fix.


Revision History
================

	2014-01-07	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-002.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2014, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2014-002.txt,v 1.2 2014/01/07 21:04:33 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (NetBSD)

iQIcBAEBAgAGBQJSzGwhAAoJEAZJc6xMSnBuQX4P/j3dERFgvL95fxrHQViQlv9k
G9G+IRFnvFdR1NvEY2j+qsLPW2zLIzBWdAODsHekgcnkQd3NXuwjo2pojC99SEkX
kuGGyxo0RxuH98iQAco6rAqLsePkHYXxWwYPkLhKflPi4XUyb2ApWwh+O83ac/dg
ochBbSIkjmKOX7w2isFP0NDiTi9AsgSWjsKj/MhRMhHpMHKqV6AaOmgwyZavntL3
73dnrfFLTdY54ZkyVRdS/6rgqPDACA9V1nLeGvdRovBWyyIcB/J+9g1xzWapnydm
SNHN6mW0I1uFPx5equERwRkI1Vz68tfQwvf3VWEFkx1vTHJ+cF94P4RVz1WFwxKu
tEwxpTuZCdUXEKCPmjd74Eo3Wgy2JHGgmpNvmwiOEfLHtHvwtZn05GxtLeGlb77k
BNX8/MWmMNYqOARr3EXIgIxCdZgozhzXBXqqiUhM9gSCJykS9RdSbQYudrtHkXYM
e3HcKsSTBDVwwBkca7UAncFcqCBKosd2dIrR9NaCe8aY+ZXt4RR3y4ipi686cvnC
9PSbp2PAIcb83CNKprglxceIZD93KZj37H8tW2IPmCrrjGXDqB4s4vXpEAwcxlNf
RlMATwqz7ZmCIybg1/MI1E4/j/1EWHES/w9OAUvhCPk6WPIRpT5Zxv6MKE7XNleB
NdDEOoZ4KpVo4ereausV
=8eAi
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC