Bug 33833 – ntp: Denial of service (3.1)

Bug 33833 - ntp: Denial of service (3.1)


Summary:	ntp: Denial of service (3.1)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.0
Hardware:	Other Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 3.1-1-errata
Assigned To:	Janek Walkenhorst
QA Contact:	Moritz Muehlenhoff

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2014-01-02 14:35 CET by Moritz Muehlenhoff
Modified:	2014-01-15 11:52 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Moritz Muehlenhoff

2014-01-02 14:35:14 CET

CVE-2013-5211

https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks

The default ntp.conf contains "noquery" which disables the monlist function and renders this issue moot.

Maybe we should amend the UCR template for ntp.conf with this statement. The upstream fix is rather invasive. This needs some further investigation.

Comment 1 Janek Walkenhorst

2014-01-06 13:16:51 CET

(In reply to Moritz Muehlenhoff from comment #0)
> Maybe we should amend the UCR template for ntp.conf with this statement. The
> upstream fix is rather invasive. This needs some further investigation.
We should: The template configuration replies to "monlist" queries and is thus vulnerable to misuse.

Comment 2 Janek Walkenhorst

2014-01-09 19:42:18 CET

[Advisory: 2014-01-09-univention-base-files.yaml]
NTP servers reachable from the public internet that respond to the "monlist" query can be used to facilitate DDoS attacks. (CVE-2013-5211)
This update adds the UCR variable "ntp/noquery" which can be set to "true" to disable most queries including the "monlist" function and thus mitigates this issue.
It is recommended to set this UCRV on any UCS system that exposes the NTP service to the internet.

New version of univention-base-files built.
Tests (amd64): OK

Comment 3 Moritz Muehlenhoff

2014-01-10 08:17:06 CET

The variable itself works fine (tested with ntpdc -c sysstats IPADDRESS)

I've discussed the default with Stefan and we should enable the new behaviour for all new installations, while retaining the old standard for updated systems:

if [ "$1" = configure -a -z "$2" ]; then
    enable
else
    disable
fi

Comment 4 Moritz Muehlenhoff

2014-01-10 11:05:54 CET

(In reply to Moritz Muehlenhoff from comment #3)
> The variable itself works fine (tested with ntpdc -c sysstats IPADDRESS)
> 
> I've discussed the default with Stefan and we should enable the new
> behaviour for all new installations, while retaining the old standard for
> updated systems:

3.1 is fine, though, since we don't provide updated 3.1 installation DVDs any more.

Comment 5 Moritz Muehlenhoff

2014-01-14 14:16:45 CET

Th UCR variable is unset after the installation and activating it properly disables monlist. Tests with ntpdate and a Windows 7 client joined into Samba 4 were successful.

I've updated the YAML file to explain the change further. It also documents the needed restart of the NTP service.

Comment 6 Moritz Muehlenhoff

2014-01-15 11:52:33 CET

http://errata.univention.de/ucs/3.1/208.html