Univention Bugzilla – Bug 33834
ntp: Denial of service (3.2)
Last modified: 2014-01-15 11:53:30 CET
+++ This bug was initially created as a clone of Bug #33833 +++ CVE-2013-5211 https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks The default ntp.conf contains "noquery" which disables the monlist function and renders this issue moot. Maybe we should amend the UCR template for ntp.conf with this statement. The upstream fix is rather invasive. This needs some further investigation.
[Advisory: 2014-01-09-univention-base-files.yaml] NTP servers reachable from the public internet that respond to the "monlist" query can be used to facilitate DDoS attacks. (CVE-2013-5211) This update adds the UCR variable "ntp/noquery" which can be set to "true" to disable most queries including the "monlist" function and thus mitigates this issue. It is recommended to set this UCRV on any UCS system that exposes the NTP service to the internet. New version of univention-base-files built. Tests (amd64): NTP: OK Windows MSSNTP: OK
The variable itself works fine (tested with ntpdc -c sysstats IPADDRESS) I've discussed the default with Stefan and we should enable the new behaviour for all new installations, while retaining the old standard for updated systems: if [ "$1" = configure -a -z "$2" ]; then enable else disable fi
(In reply to Moritz Muehlenhoff from comment #2) > The variable itself works fine (tested with ntpdc -c sysstats IPADDRESS) > > I've discussed the default with Stefan and we should enable the new > behaviour for all new installations, while retaining the old standard for > updated systems: > > if [ "$1" = configure -a -z "$2" ]; then > enable > else > disable > fi Fixed with 3.0.4-3.154.201401101122
Ok, the UCR variable is disabled after an update. Future new DVDs with an updated univention-base-files will enable the secure default as standard. Tests with ntpdate and a Windows 7 client joined into Samba 4 were successful. I've updated the YAML file to explain the change further. It also documents the needed restart of the NTP service.
http://errata.univention.de/ucs/3.2/20.html