Univention Bugzilla – Bug 33833
ntp: Denial of service (3.1)
Last modified: 2014-01-15 11:52:33 CET
CVE-2013-5211 https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks The default ntp.conf contains "noquery" which disables the monlist function and renders this issue moot. Maybe we should amend the UCR template for ntp.conf with this statement. The upstream fix is rather invasive. This needs some further investigation.
(In reply to Moritz Muehlenhoff from comment #0) > Maybe we should amend the UCR template for ntp.conf with this statement. The > upstream fix is rather invasive. This needs some further investigation. We should: The template configuration replies to "monlist" queries and is thus vulnerable to misuse.
[Advisory: 2014-01-09-univention-base-files.yaml] NTP servers reachable from the public internet that respond to the "monlist" query can be used to facilitate DDoS attacks. (CVE-2013-5211) This update adds the UCR variable "ntp/noquery" which can be set to "true" to disable most queries including the "monlist" function and thus mitigates this issue. It is recommended to set this UCRV on any UCS system that exposes the NTP service to the internet. New version of univention-base-files built. Tests (amd64): OK
The variable itself works fine (tested with ntpdc -c sysstats IPADDRESS) I've discussed the default with Stefan and we should enable the new behaviour for all new installations, while retaining the old standard for updated systems: if [ "$1" = configure -a -z "$2" ]; then enable else disable fi
(In reply to Moritz Muehlenhoff from comment #3) > The variable itself works fine (tested with ntpdc -c sysstats IPADDRESS) > > I've discussed the default with Stefan and we should enable the new > behaviour for all new installations, while retaining the old standard for > updated systems: 3.1 is fine, though, since we don't provide updated 3.1 installation DVDs any more.
Th UCR variable is unset after the installation and activating it properly disables monlist. Tests with ntpdate and a Windows 7 client joined into Samba 4 were successful. I've updated the YAML file to explain the change further. It also documents the needed restart of the NTP service.
http://errata.univention.de/ucs/3.1/208.html