NetBSD Security Advisory 2014-002: ntpd used as DDoS amplifier

To: NetBSD Announcements <netbsd-announce%NetBSD.org@localhost>
Subject: NetBSD Security Advisory 2014-002: ntpd used as DDoS amplifier
From: NetBSD Security Officer <security-officer%NetBSD.org@localhost>
Date: Wed, 8 Jan 2014 00:06:34 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                NetBSD Security Advisory 2014-002
                =================================

Topic:          ntpd used as DDoS amplifier


Version:        NetBSD-current:         source prior to Dec 27th, 2013
                NetBSD 6.1:             affected
                NetBSD 6.0 - 6.0.2:     affected
                NetBSD 5.1 - 5.1.2:     affected
                NetBSD 5.2:             affected

Severity:       DDoS participation

Fixed:          NetBSD-current:         Dec 27th, 2013
                NetBSD-6-0 branch:      Jan 6th, 2014
                NetBSD-6-1 branch:      Jan 6th, 2014
                NetBSD-6 branch:        Jan 6th, 2014
                NetBSD-5-2 branch:      Jan 6th, 2014
                NetBSD-5-1 branch:      Jan 6th, 2014
                NetBSD-5 branch:        Jan 6th, 2014

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

An administrative query function is getting used by
attackers to use ntp servers as traffic amplifiers.
The new version no longer offers this query option.


Technical Details
=================

The monlist function, which is available in ntp prior to 4.2.7 to
requestors who are allowed to 'query', yields potentially sizeable
traffic in response to a small query packet, and can thus get used
for amplification attacks.


Solutions and Workarounds
=========================

Workaround:
in ntp.conf, setting 'restrict default noquery' will prevent
amplification to random targets (the remaining targets would
be those allowed to query by their own restrict entries).

Note that this setting does not disallow time synchronization,
but instead querying for the list of peers and other administrative
and informative data. See /usr/share/doc/html/ntp/accopt.html
for information on ntpd access control configuration options.

Solution:
Updating the ntpd binary so it no longer offers the abused function,
as well as updating ntp.conf so it offers less attack surface.

ntpd source: update to
HEAD            src/external/bsd/ntp/dist/ntpd/ntp_request.c
netbsd-6        src/external/bsd/ntp/dist/ntpd/ntp_request.c 1.7.2.1
netbsd-6-1      src/external/bsd/ntp/dist/ntpd/ntp_request.c 1.7.16.1
netbsd-6-0      src/external/bsd/ntp/dist/ntpd/ntp_request.c 1.7.8.1
netbsd-5        src/dist/ntp/ntpd/ntp_request.c 1.8.4.2
netbsd-5-2      src/dist/ntp/ntpd/ntp_request.c 1.8.4.1.6.1
netbsd-5-1      src/dist/ntp/ntpd/ntp_request.c 1.8.4.1.2.1

default configuration file update:
HEAD            src/etc/ntp.conf 1.18
netbsd-6        src/etc/ntp.conf 1.14.2.1
netbsd-6-1      src/etc/ntp.conf 1.14.16.1
netbsd-6-0      src/etc/ntp.conf 1.14.8.1
netbsd-5        src/etc/ntp.conf 1.9.20.1
netbsd-5-2      src/etc/ntp.conf 1.9.36.1
netbsd-5-1      src/etc/ntp.conf 1.9.28.1


Thanks To
=========

Thanks to Erik Fair for bringing the issue to our attention and
suggesting a fix.


Revision History
================

        2014-01-07      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-002.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2014, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2014-002.txt,v 1.2 2014/01/07 21:04:33 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (NetBSD)

iQIcBAEBAgAGBQJSzGwhAAoJEAZJc6xMSnBuQX4P/j3dERFgvL95fxrHQViQlv9k
G9G+IRFnvFdR1NvEY2j+qsLPW2zLIzBWdAODsHekgcnkQd3NXuwjo2pojC99SEkX
kuGGyxo0RxuH98iQAco6rAqLsePkHYXxWwYPkLhKflPi4XUyb2ApWwh+O83ac/dg
ochBbSIkjmKOX7w2isFP0NDiTi9AsgSWjsKj/MhRMhHpMHKqV6AaOmgwyZavntL3
73dnrfFLTdY54ZkyVRdS/6rgqPDACA9V1nLeGvdRovBWyyIcB/J+9g1xzWapnydm
SNHN6mW0I1uFPx5equERwRkI1Vz68tfQwvf3VWEFkx1vTHJ+cF94P4RVz1WFwxKu
tEwxpTuZCdUXEKCPmjd74Eo3Wgy2JHGgmpNvmwiOEfLHtHvwtZn05GxtLeGlb77k
BNX8/MWmMNYqOARr3EXIgIxCdZgozhzXBXqqiUhM9gSCJykS9RdSbQYudrtHkXYM
e3HcKsSTBDVwwBkca7UAncFcqCBKosd2dIrR9NaCe8aY+ZXt4RR3y4ipi686cvnC
9PSbp2PAIcb83CNKprglxceIZD93KZj37H8tW2IPmCrrjGXDqB4s4vXpEAwcxlNf
RlMATwqz7ZmCIybg1/MI1E4/j/1EWHES/w9OAUvhCPk6WPIRpT5Zxv6MKE7XNleB
NdDEOoZ4KpVo4ereausV
=8eAi
-----END PGP SIGNATURE-----

Prev by Date: NetBSD Security Advisory 2014-001: Stack buffer overflow in libXfont
Next by Date: NetBSD 6.1.3, NetBSD 6.0.4, NetBSD 5.2.2, and NetBSD 5.1.4 patch releases
Previous by Thread: NetBSD Security Advisory 2014-001: Stack buffer overflow in libXfont
Next by Thread: NetBSD 6.1.3, NetBSD 6.0.4, NetBSD 5.2.2, and NetBSD 5.1.4 patch releases
Indexes:

Home | Main Index | Thread Index | Old Index