Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 496776 (CVE-2013-5211) - <net-misc/ntp-4.2.6_p5-r10 : DoS in monlist feature in ntpd (CVE-2013-5211)
Summary: <net-misc/ntp-4.2.6_p5-r10 : DoS in monlist feature in ntpd (CVE-2013-5211)
Status: RESOLVED FIXED
Alias: CVE-2013-5211
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://bugs.ntp.org/show_bug.cgi?id=1532
Whiteboard: B3 [glsa cleanup]
Keywords:
: 498706 506710 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-01-02 14:48 UTC by Agostino Sarubbo
Modified: 2014-06-27 12:15 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-01-02 14:48:24 UTC
From ${URL} :

Common Vulnerabilities and Exposures assigned an identifier CVE-2013-5211 to the following vulnerability:

Name: CVE-2013-5211
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211
Assigned: 20130815
Reference: http://openwall.com/lists/oss-security/2013/12/30/6
Reference: http://openwall.com/lists/oss-security/2013/12/30/7
Reference: http://lists.ntp.org/pipermail/pool/2011-December/005616.html
Reference: http://bugs.ntp.org/show_bug.cgi?id=1532
Reference: http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ntp-dev-4.2.7p26.tar.gz

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a 
denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 
requests, as exploited in the wild in December 2013.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2014-01-02 15:57:52 UTC
going by the upstream ntp bug, there's really nothing feasible for us to do at this time.  i don't think we want to add+stabilize the 4.2.7 dev branch (we've never carried the 4.2.7 dev series by design), and backporting is not feasible (according to the ntp developers themselves).
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2014-01-02 20:49:19 UTC
I solved this in the tree already actually, before you filed this bug; with a solution accepted by upstream:
http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-misc/ntp/files/ntp.conf?r1=1.19&r2=1.20

For that, please stablereq for ntp-4.2.6_p5-r10
Comment 3 Agostino Sarubbo gentoo-dev 2014-01-03 12:00:14 UTC
Thanks.

Arches, please test and mark stable:
=net-misc/ntp-4.2.6_p5-r10
Target KEYWORDS: "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 4 Pacho Ramos gentoo-dev 2014-01-03 12:19:44 UTC
amd64 stable
Comment 5 SpanKY gentoo-dev 2014-01-03 13:05:18 UTC
(In reply to Robin Johnson from comment #2)

that doesn't fix the bug, just makes it not show up if you use the default config.  but maybe that's good enough for us until upstream releases a proper version.
Comment 6 Thomas Deutschmann gentoo-dev Security 2014-01-03 13:45:52 UTC
Well, there never will be a fix (because there isn't a bug and they cannot change the behavior without breaking clients). They just decided to remove the 'monlist' feature in favor of the new safe 'mrunlist' function, which uses a nonce value ensuring that received IP address match the actual requester. But this is 4.2.7 which isn't in tree and marked as development branch by upstream (not sure if they are going to release a stable 4.2.7 in a few days because of this problem).

With Robin's configuration change ("noquery" was added to the default restrictions) we disable mode 6 and 7 queries, which includes monlist.

What I don't like about the Gentoo "fix" (if it is meant as a fix and a GLSA will tell the user "upgrade to =ntp-4.2.6_p5-r10 and you aren't longer vulnerable to CVE-2013-5211") is that people running their own configuration and don't know about the problem may not recognize the added "noquery" option and why it is important that they adapt it.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-01-04 12:28:36 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2014-01-04 12:38:45 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-01-04 12:40:07 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-01-04 12:41:38 UTC
sparc stable
Comment 11 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2014-01-04 18:18:03 UTC
whissi:
to solve your concern, I think we can have the GLSA contain some text like:
====
If you use a non-default configuration for ntpd, you should add the "noquery" argument to your "restrict default" configuration entries and any other entries for untrusted networks.
====
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-01-05 02:52:07 UTC
CVE-2013-5211 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5211):
  The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows
  remote attackers to cause a denial of service (traffic amplification) via
  forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited
  in the wild in December 2013.
Comment 13 Agostino Sarubbo gentoo-dev 2014-01-05 09:06:32 UTC
x86 stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-01-05 09:10:35 UTC
arm stable
Comment 15 Agostino Sarubbo gentoo-dev 2014-01-05 09:38:02 UTC
alpha stable
Comment 16 Thomas Deutschmann gentoo-dev Security 2014-01-05 14:50:39 UTC
(In reply to Robin Johnson from comment #11)
> whissi:
> to solve your concern, I think we can have the GLSA contain some text like:
> ====
> If you use a non-default configuration for ntpd, you should add the
> "noquery" argument to your "restrict default" configuration entries and any
> other entries for untrusted networks.
> ====

Something like that, but I don't like the text.

We agree that a real fix is missing (will be the not yet existing 4.2.8 release). So we don't have a "resolution", we only have a "workaround". The GLSA provides both information, let us use them:

Workaround:
===========
We modified the default ntp configuration in "=net-misc/ntp-4.2.6_p5-r10" and added "noquery" to the default restriction which disallows anyone to query your ntpd status, including "monlist".

If you use a non-default configuration and provide a public ntp service we highly recommend you to revise your configuration to disable mode 6 and 7 queries for any untrusted (public) network.

You can always enable these queries for specific trusted networks. For more details please see the "Access Control Support" chapter in the ntp.conf(5) man page.


Resolution:
===========
All NTP users should upgrade to the latest version which includes an updated configuration which disables ntpd status queries per default:

  ... Steps how to update ...



What do you think? This will include the information:

- that there is no upstream fix for this problem yet

- how we solved the problem

- what the user should check for if running a non-default configuration

- where to find further information
Comment 17 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2014-01-05 18:16:01 UTC
(In reply to Thomas D. from comment #16)
> If you use a non-default configuration and provide a public ntp service we
> highly recommend you to revise your configuration to disable mode 6 and 7
> queries for any untrusted (public) network.
I'm concerned that most people with custom configs will see 'public ntp service' and ignore the rest of the paragraph. Untrusted networks aren't necessarily public networks. Maybe reword as:

If you use a non-default configuration, and provide a ntp service to untrusted networks, we highly recommend you to revise your configuration to disable mode 6 and 7 queries for any untrusted (public) network.
Comment 18 Thomas Deutschmann gentoo-dev Security 2014-01-05 23:38:13 UTC
Good point. I like your rewording. No further objections from me.
Comment 19 Agostino Sarubbo gentoo-dev 2014-01-12 13:18:34 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 20 Chris Reffett (RETIRED) gentoo-dev Security 2014-01-12 13:57:37 UTC
GLSA vote: yes
Comment 21 Tobias Heinlein (RETIRED) gentoo-dev 2014-01-16 20:55:23 UTC
YES too, request filed.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2014-01-16 22:31:40 UTC
This issue was resolved and addressed in
 GLSA 201401-08 at http://security.gentoo.org/glsa/glsa-201401-08.xml
by GLSA coordinator Tobias Heinlein (keytoaster).
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2014-01-16 23:32:49 UTC
This issue was resolved and addressed in
 GLSA 201401-08 at http://security.gentoo.org/glsa/glsa-201401-08.xml
by GLSA coordinator Tobias Heinlein (keytoaster).
Comment 24 Agostino Sarubbo gentoo-dev 2014-01-20 16:37:20 UTC
*** Bug 498706 has been marked as a duplicate of this bug. ***
Comment 25 Alex Xu (Hello71) 2014-04-03 23:09:30 UTC
*** Bug 506710 has been marked as a duplicate of this bug. ***