[gentoo-announce] [ GLSA 201401-08 ] NTP: Traffic amplification - gentoo-announce

From:	Tobias Heinlein <keytoaster@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201401-08 ] NTP: Traffic amplification
Date:	Thu, 16 Jan 2014 23:36:37
Message-Id:	`52D86C53.6040908@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA256

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 201401-08

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

 Severity: Normal

11

    Title: NTP: Traffic amplification

12

     Date: January 16, 2014

13

     Bugs: #496776

14

       ID: 201401-08

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

NTP can be abused to amplify Denial of Service attack traffic.

22

23

Background

24

==========

25

26

NTP is a protocol designed to synchronize the clocks of computers over

27

a network. The net-misc/ntp package contains the official reference

28

implementation by the NTP Project.

29

30

Affected packages

31

=================

32

33

    -------------------------------------------------------------------

34

     Package              /     Vulnerable     /            Unaffected

35

    -------------------------------------------------------------------

36

  1  net-misc/ntp              < 4.2.6_p5-r10         >= 4.2.6_p5-r10

37

38

Description

39

===========

40

41

ntpd is susceptible to a reflected Denial of Service attack. Please

42

review the CVE identifiers and references below for details.

43

44

Impact

45

======

46

47

An unauthenticated remote attacker may conduct a distributed reflective

48

Denial of Service attack on another user via a vulnerable NTP server.

49

50

Workaround

51

==========

52

53

We modified the default ntp configuration in =net-misc/ntp-4.2.6_p5-r10

54

and added "noquery" to the default restriction which disallows anyone

55

to query the ntpd status, including "monlist".

56

57

If you use a non-default configuration, and provide a ntp service to

58

untrusted networks, we highly recommend you to revise your

59

configuration to disable mode 6 and 7 queries for any untrusted

60

(public) network.

61

62

You can always enable these queries for specific trusted networks. For

63

more details please see the "Access Control Support" chapter in the

64

ntp.conf(5) man page.

65

66

Resolution

67

==========

68

69

All NTP users should upgrade to the latest version:

70

71

  # emerge --sync

72

  # emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.6_p5-r10"

73

74

Note that the updated package contains a modified default configuration

75

only. You may need to modify your configuration further.

76

77

References

78

==========

79

80

[ 1 ] CVE-2013-5211

81

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5211

82

[ 2 ] VU#348126

83

      http://www.kb.cert.org/vuls/id/348126

84

85

Availability

86

============

87

88

This GLSA and any updates to it are available for viewing at

89

the Gentoo Security Website:

90

91

 http://security.gentoo.org/glsa/glsa-201401-08.xml

92

93

Concerns?

94

=========

95

96

Security is a primary focus of Gentoo Linux and ensuring the

97

confidentiality and security of our users' machines is of utmost

98

importance to us. Any security concerns should be addressed to

99

security@g.o or alternatively, you may file a bug at

100

https://bugs.gentoo.org.

101

102

License

103

=======

104

105

Copyright 2014 Gentoo Foundation, Inc; referenced text

106

belongs to its owner(s).

107

108

The contents of this document are licensed under the

109

Creative Commons - Attribution / Share Alike license.

110

111

http://creativecommons.org/licenses/by-sa/2.5

112

-----BEGIN PGP SIGNATURE-----

113

Version: GnuPG v2.0.22 (GNU/Linux)

114

Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

115

116

iQIcBAEBCAAGBQJS2GxTAAoJEByNLmvcM7DulIwQAIOYyqCmbK80HgcscXBIk1Ff

117

/mqRuc7EkW7o6+AgTSqp71+oV6pKrQ0rdrj44P8ZtnjLmpXnb5ZQO6VUv7+Bzaqu

118

kEeP8gSvjwCqIFeqgpYcDmefpaLdd4SkZluECf4ZNyHdclSQ3tLduE5idAwTrMgw

119

FE5lX2ZdfIPHrJBQXZ0PD4EFA+biwwD/nWBzuJj01DDcII1ULUDJQhEPRP3prM8a

120

U6asQugmgky/ZqarpymPcldMYUCpwT6PjrvOh1NWPOv5dEscTKEIspSdfelPbLdA

121

irSM7Z5AOWLDEk/D99jI346mE0Y+YYRoD7ZHqnuVWUZMa8WQ80+B6njYa5+0yRzx

122

zkq2GouNP6rDJm+sJjYk66RXrn8gwBvq/PYcM1E1qRvjHknU8xlWLLzwhUPefJmO

123

8uPjnRXa9/ZXBKXCFPN9TcdfqOfmsCCVnIIoZ2k8NCMHfbc/U5yhYxT7MWK9cOOb

124

2j1elsSA40V65mzyWDU3GwinM8+gG3goCWVOEV9daCvovTbPrGXhGV8OPoDqOoCW

125

jP7YQSeqx0mlEn7OrIhDsf3h7C8nblCMhZ0ahCgZ997VwXVj1Ngg25DoBN2LmG4H

126

4KpnRDdjXm4tpVF0vP90X83VY9PaamlBRI8gzZgt2wdYJPhJ1bCf1WRhctK1ywBP

127

O7T3P0kq5BpFv/GVWOU1

128

=rXbW

129

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA256
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 201401-08
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: NTP: Traffic amplification
12	Date: January 16, 2014
13	Bugs: #496776
14	ID: 201401-08
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	NTP can be abused to amplify Denial of Service attack traffic.
22
23	Background
24	==========
25
26	NTP is a protocol designed to synchronize the clocks of computers over
27	a network. The net-misc/ntp package contains the official reference
28	implementation by the NTP Project.
29
30	Affected packages
31	=================
32
33	-------------------------------------------------------------------
34	Package / Vulnerable / Unaffected
35	-------------------------------------------------------------------
36	1 net-misc/ntp < 4.2.6_p5-r10 >= 4.2.6_p5-r10
37
38	Description
39	===========
40
41	ntpd is susceptible to a reflected Denial of Service attack. Please
42	review the CVE identifiers and references below for details.
43
44	Impact
45	======
46
47	An unauthenticated remote attacker may conduct a distributed reflective
48	Denial of Service attack on another user via a vulnerable NTP server.
49
50	Workaround
51	==========
52
53	We modified the default ntp configuration in =net-misc/ntp-4.2.6_p5-r10
54	and added "noquery" to the default restriction which disallows anyone
55	to query the ntpd status, including "monlist".
56
57	If you use a non-default configuration, and provide a ntp service to
58	untrusted networks, we highly recommend you to revise your
59	configuration to disable mode 6 and 7 queries for any untrusted
60	(public) network.
61
62	You can always enable these queries for specific trusted networks. For
63	more details please see the "Access Control Support" chapter in the
64	ntp.conf(5) man page.
65
66	Resolution
67	==========
68
69	All NTP users should upgrade to the latest version:
70
71	# emerge --sync
72	# emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.6_p5-r10"
73
74	Note that the updated package contains a modified default configuration
75	only. You may need to modify your configuration further.
76
77	References
78	==========
79
80	[ 1 ] CVE-2013-5211
81	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5211
82	[ 2 ] VU#348126
83	http://www.kb.cert.org/vuls/id/348126
84
85	Availability
86	============
87
88	This GLSA and any updates to it are available for viewing at
89	the Gentoo Security Website:
90
91	http://security.gentoo.org/glsa/glsa-201401-08.xml
92
93	Concerns?
94	=========
95
96	Security is a primary focus of Gentoo Linux and ensuring the
97	confidentiality and security of our users' machines is of utmost
98	importance to us. Any security concerns should be addressed to
99	security@g.o or alternatively, you may file a bug at
100	https://bugs.gentoo.org.
101
102	License
103	=======
104
105	Copyright 2014 Gentoo Foundation, Inc; referenced text
106	belongs to its owner(s).
107
108	The contents of this document are licensed under the
109	Creative Commons - Attribution / Share Alike license.
110
111	http://creativecommons.org/licenses/by-sa/2.5
112	-----BEGIN PGP SIGNATURE-----
113	Version: GnuPG v2.0.22 (GNU/Linux)
114	Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
115
116	iQIcBAEBCAAGBQJS2GxTAAoJEByNLmvcM7DulIwQAIOYyqCmbK80HgcscXBIk1Ff
117	/mqRuc7EkW7o6+AgTSqp71+oV6pKrQ0rdrj44P8ZtnjLmpXnb5ZQO6VUv7+Bzaqu
118	kEeP8gSvjwCqIFeqgpYcDmefpaLdd4SkZluECf4ZNyHdclSQ3tLduE5idAwTrMgw
119	FE5lX2ZdfIPHrJBQXZ0PD4EFA+biwwD/nWBzuJj01DDcII1ULUDJQhEPRP3prM8a
120	U6asQugmgky/ZqarpymPcldMYUCpwT6PjrvOh1NWPOv5dEscTKEIspSdfelPbLdA
121	irSM7Z5AOWLDEk/D99jI346mE0Y+YYRoD7ZHqnuVWUZMa8WQ80+B6njYa5+0yRzx
122	zkq2GouNP6rDJm+sJjYk66RXrn8gwBvq/PYcM1E1qRvjHknU8xlWLLzwhUPefJmO
123	8uPjnRXa9/ZXBKXCFPN9TcdfqOfmsCCVnIIoZ2k8NCMHfbc/U5yhYxT7MWK9cOOb
124	2j1elsSA40V65mzyWDU3GwinM8+gG3goCWVOEV9daCvovTbPrGXhGV8OPoDqOoCW
125	jP7YQSeqx0mlEn7OrIhDsf3h7C8nblCMhZ0ahCgZ997VwXVj1Ngg25DoBN2LmG4H
126	4KpnRDdjXm4tpVF0vP90X83VY9PaamlBRI8gzZgt2wdYJPhJ1bCf1WRhctK1ywBP
127	O7T3P0kq5BpFv/GVWOU1
128	=rXbW
129	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce