Bug 33834 - ntp: Denial of service (3.2)
ntp: Denial of service (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.0
Other Linux
: P3 normal (vote)
: UCS 3.2-0-errata
Assigned To: Janek Walkenhorst
Moritz Muehlenhoff
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-01-02 14:35 CET by Moritz Muehlenhoff
Modified: 2014-01-15 11:53 CET (History)
0 users

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2014-01-02 14:35:33 CET
+++ This bug was initially created as a clone of Bug #33833 +++

CVE-2013-5211

https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks

The default ntp.conf contains "noquery" which disables the monlist function and renders this issue moot.

Maybe we should amend the UCR template for ntp.conf with this statement. The upstream fix is rather invasive. This needs some further investigation.
Comment 1 Janek Walkenhorst univentionstaff 2014-01-09 19:42:22 CET
[Advisory: 2014-01-09-univention-base-files.yaml]
NTP servers reachable from the public internet that respond to the "monlist" query can be used to facilitate DDoS attacks. (CVE-2013-5211)
This update adds the UCR variable "ntp/noquery" which can be set to "true" to disable most queries including the "monlist" function and thus mitigates this issue.
It is recommended to set this UCRV on any UCS system that exposes the NTP service to the internet.

New version of univention-base-files built.
Tests (amd64):
 NTP: OK
 Windows MSSNTP: OK
Comment 2 Moritz Muehlenhoff univentionstaff 2014-01-10 08:17:14 CET
The variable itself works fine (tested with ntpdc -c sysstats IPADDRESS)

I've discussed the default with Stefan and we should enable the new behaviour for all new installations, while retaining the old standard for updated systems:

if [ "$1" = configure -a -z "$2" ]; then
    enable
else
    disable
fi
Comment 3 Janek Walkenhorst univentionstaff 2014-01-10 11:32:07 CET
(In reply to Moritz Muehlenhoff from comment #2)
> The variable itself works fine (tested with ntpdc -c sysstats IPADDRESS)
> 
> I've discussed the default with Stefan and we should enable the new
> behaviour for all new installations, while retaining the old standard for
> updated systems:
> 
> if [ "$1" = configure -a -z "$2" ]; then
>     enable
> else
>     disable
> fi
Fixed with 3.0.4-3.154.201401101122
Comment 4 Moritz Muehlenhoff univentionstaff 2014-01-14 12:56:26 CET
Ok, the UCR variable is disabled after an update. Future new DVDs with an updated univention-base-files will enable the secure default as standard.

Tests with ntpdate and a Windows 7 client joined into Samba 4 were successful.

I've updated the YAML file to explain the change further. It also documents the needed restart of the NTP service.
Comment 5 Moritz Muehlenhoff univentionstaff 2014-01-15 11:53:30 CET
http://errata.univention.de/ucs/3.2/20.html