1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA256 |
3 |
|
4 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
5 |
Gentoo Linux Security Advisory GLSA 201401-08 |
6 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
7 |
http://security.gentoo.org/ |
8 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
9 |
|
10 |
Severity: Normal |
11 |
Title: NTP: Traffic amplification |
12 |
Date: January 16, 2014 |
13 |
Bugs: #496776 |
14 |
ID: 201401-08 |
15 |
|
16 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
17 |
|
18 |
Synopsis |
19 |
======== |
20 |
|
21 |
NTP can be abused to amplify Denial of Service attack traffic. |
22 |
|
23 |
Background |
24 |
========== |
25 |
|
26 |
NTP is a protocol designed to synchronize the clocks of computers over |
27 |
a network. The net-misc/ntp package contains the official reference |
28 |
implementation by the NTP Project. |
29 |
|
30 |
Affected packages |
31 |
================= |
32 |
|
33 |
------------------------------------------------------------------- |
34 |
Package / Vulnerable / Unaffected |
35 |
------------------------------------------------------------------- |
36 |
1 net-misc/ntp < 4.2.6_p5-r10 >= 4.2.6_p5-r10 |
37 |
|
38 |
Description |
39 |
=========== |
40 |
|
41 |
ntpd is susceptible to a reflected Denial of Service attack. Please |
42 |
review the CVE identifiers and references below for details. |
43 |
|
44 |
Impact |
45 |
====== |
46 |
|
47 |
An unauthenticated remote attacker may conduct a distributed reflective |
48 |
Denial of Service attack on another user via a vulnerable NTP server. |
49 |
|
50 |
Workaround |
51 |
========== |
52 |
|
53 |
We modified the default ntp configuration in =net-misc/ntp-4.2.6_p5-r10 |
54 |
and added "noquery" to the default restriction which disallows anyone |
55 |
to query the ntpd status, including "monlist". |
56 |
|
57 |
If you use a non-default configuration, and provide a ntp service to |
58 |
untrusted networks, we highly recommend you to revise your |
59 |
configuration to disable mode 6 and 7 queries for any untrusted |
60 |
(public) network. |
61 |
|
62 |
You can always enable these queries for specific trusted networks. For |
63 |
more details please see the "Access Control Support" chapter in the |
64 |
ntp.conf(5) man page. |
65 |
|
66 |
Resolution |
67 |
========== |
68 |
|
69 |
All NTP users should upgrade to the latest version: |
70 |
|
71 |
# emerge --sync |
72 |
# emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.6_p5-r10" |
73 |
|
74 |
Note that the updated package contains a modified default configuration |
75 |
only. You may need to modify your configuration further. |
76 |
|
77 |
References |
78 |
========== |
79 |
|
80 |
[ 1 ] CVE-2013-5211 |
81 |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5211 |
82 |
[ 2 ] VU#348126 |
83 |
http://www.kb.cert.org/vuls/id/348126 |
84 |
|
85 |
Availability |
86 |
============ |
87 |
|
88 |
This GLSA and any updates to it are available for viewing at |
89 |
the Gentoo Security Website: |
90 |
|
91 |
http://security.gentoo.org/glsa/glsa-201401-08.xml |
92 |
|
93 |
Concerns? |
94 |
========= |
95 |
|
96 |
Security is a primary focus of Gentoo Linux and ensuring the |
97 |
confidentiality and security of our users' machines is of utmost |
98 |
importance to us. Any security concerns should be addressed to |
99 |
security@g.o or alternatively, you may file a bug at |
100 |
https://bugs.gentoo.org. |
101 |
|
102 |
License |
103 |
======= |
104 |
|
105 |
Copyright 2014 Gentoo Foundation, Inc; referenced text |
106 |
belongs to its owner(s). |
107 |
|
108 |
The contents of this document are licensed under the |
109 |
Creative Commons - Attribution / Share Alike license. |
110 |
|
111 |
http://creativecommons.org/licenses/by-sa/2.5 |
112 |
-----BEGIN PGP SIGNATURE----- |
113 |
Version: GnuPG v2.0.22 (GNU/Linux) |
114 |
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
115 |
|
116 |
iQIcBAEBCAAGBQJS2GxTAAoJEByNLmvcM7DulIwQAIOYyqCmbK80HgcscXBIk1Ff |
117 |
/mqRuc7EkW7o6+AgTSqp71+oV6pKrQ0rdrj44P8ZtnjLmpXnb5ZQO6VUv7+Bzaqu |
118 |
kEeP8gSvjwCqIFeqgpYcDmefpaLdd4SkZluECf4ZNyHdclSQ3tLduE5idAwTrMgw |
119 |
FE5lX2ZdfIPHrJBQXZ0PD4EFA+biwwD/nWBzuJj01DDcII1ULUDJQhEPRP3prM8a |
120 |
U6asQugmgky/ZqarpymPcldMYUCpwT6PjrvOh1NWPOv5dEscTKEIspSdfelPbLdA |
121 |
irSM7Z5AOWLDEk/D99jI346mE0Y+YYRoD7ZHqnuVWUZMa8WQ80+B6njYa5+0yRzx |
122 |
zkq2GouNP6rDJm+sJjYk66RXrn8gwBvq/PYcM1E1qRvjHknU8xlWLLzwhUPefJmO |
123 |
8uPjnRXa9/ZXBKXCFPN9TcdfqOfmsCCVnIIoZ2k8NCMHfbc/U5yhYxT7MWK9cOOb |
124 |
2j1elsSA40V65mzyWDU3GwinM8+gG3goCWVOEV9daCvovTbPrGXhGV8OPoDqOoCW |
125 |
jP7YQSeqx0mlEn7OrIhDsf3h7C8nblCMhZ0ahCgZ997VwXVj1Ngg25DoBN2LmG4H |
126 |
4KpnRDdjXm4tpVF0vP90X83VY9PaamlBRI8gzZgt2wdYJPhJ1bCf1WRhctK1ywBP |
127 |
O7T3P0kq5BpFv/GVWOU1 |
128 |
=rXbW |
129 |
-----END PGP SIGNATURE----- |