[pkg-ntp-maintainers] Bug#733940: ntp missing security update, previously advised service configurations allow DDoS amplification attack prior to upstream 4.2.7p26
Michael Evans
michael.evans at nor-consult.com
Mon May 19 20:13:05 UTC 2014
The severity of this bug should be critical.
The default shipped configuration file /may/ be secure, but does not
adequately document /why/ it is secure. Previous versions of the
AccessRestrictions documentation (prior to likely someone early this year
when the NTP reflection attacks became popular) appeared to advise removing
the noquery attribute, and thus many administrators who wanted to provide a
public facing server properly followed the guidance to remove it. Since
that time there has been no Debian security advisory that this is an
insecure modification to the configuration. It is also not something which
someone would consider to be related even if they are aware of NTP
amplification attacks.
I am requesting a change in severity level to critical given that with
previously advised (even if not by Debian example) configurations this
software "introduces a security hole on systems where you install the
package" which may be used to provide a denial of service attack to/from
systems with the effected version/configuration.
As a temporary solution "disabling monitor" or adding "noquery" to internet
facing services is required (and //should be documented as such in config
comments// if an update to this package is not provided); however the
updated software disables the responses that are used in the reflection
attacks without completely disabling other responses that may be useful as
an NTP server. The previously supplied freebsd patch appears to provide the
same type of improvement and if chosen instead should be documented as such
in the example config file (so that it is obvious this is fixed with
something not present upstream).
http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.1.1.3
.
http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Atta
ck_using
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5211
http://www.kb.cert.org/vuls/id/348126
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-ntp-maintainers/attachments/20140519/d4e07648/attachment.html>
More information about the pkg-ntp-maintainers
mailing list