ntp: CVE-2013-5211

Debian Bug report logs - #733940
ntp: CVE-2013-5211

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ntp: CVE-2013-5211

Date: Thu, 02 Jan 2014 14:04:04 +0100

Package: ntp
Severity: important
Tags: security

This was assigned CVE-2013-5211:
https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks
http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks

Upstream ripped out monlist in favour of mrulist:
http://bugs.ntp.org/show_bug.cgi?id=1531
http://bugs.ntp.org/show_bug.cgi?id=1532

The default configuration in Debian uses "noquery" and thus doesn't allow
monlist:

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

For unstable we should update to 4.2.7. What's your suggesttion on this for stable? 

We could
- Provide 4.2.7 for stable-security (or backport the changes if not too
  intrusive)
- Ignore this for stable-security and offer 4.2.7 in backports.debian.org for
  those sites which run a public NTP server
- Ignore this altogether since it doesn't affect the standard configuration and
  operators of large public NTP servers most definitely have updated to 4.2.7
  already or deployed other workarounds.

Cheers,
        Moritz

Message #10 received at 733940@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: Moritz Muehlenhoff <jmm@inutil.org>, 733940@bugs.debian.org

Subject: Re: [pkg-ntp-maintainers] Bug#733940: ntp: CVE-2013-5211

Date: Thu, 2 Jan 2014 18:58:25 +0100

On Thu, Jan 02, 2014 at 02:04:04PM +0100, Moritz Muehlenhoff wrote:
> Package: ntp
> Severity: important
> Tags: security
> 
> This was assigned CVE-2013-5211:
> https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks
> http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks
> 
> Upstream ripped out monlist in favour of mrulist:
> http://bugs.ntp.org/show_bug.cgi?id=1531
> http://bugs.ntp.org/show_bug.cgi?id=1532

Which just means they need to send a different packet to do this?

> The default configuration in Debian uses "noquery" and thus doesn't allow
> monlist:
> 
> # By default, exchange time with everybody, but don't allow configuration.
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery
> 
> For unstable we should update to 4.2.7. What's your suggesttion on this for stable? 

4.2.7 is not a release it's a development branch that has had over
400 releases.  It also has known issues, like it dies after 5
minutes for a lot of people.  People really should stop suggesting
using the 4.2.7 version.  The release will be 4.2.8.

> We could
> - Provide 4.2.7 for stable-security (or backport the changes if not too
>   intrusive)
> - Ignore this for stable-security and offer 4.2.7 in backports.debian.org for
>   those sites which run a public NTP server
> - Ignore this altogether since it doesn't affect the standard configuration and
>   operators of large public NTP servers most definitely have updated to 4.2.7
>   already or deployed other workarounds.

I'm really going to go for ignore on this.  People should just use
the noquery option and only allow it from trusted IP addresses.
That is the only real fix.


Kurt

Message #15 received at 733940@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Kurt Roeckx <kurt@roeckx.be>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, 733940@bugs.debian.org

Subject: Re: [pkg-ntp-maintainers] Bug#733940: ntp: CVE-2013-5211

Date: Thu, 16 Jan 2014 22:46:42 +0100

On Thu, Jan 02, 2014 at 06:58:25PM +0100, Kurt Roeckx wrote:
> On Thu, Jan 02, 2014 at 02:04:04PM +0100, Moritz Muehlenhoff wrote:
> > Package: ntp
> > Severity: important
> > Tags: security
> > 
> > This was assigned CVE-2013-5211:
> > https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks
> > http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks
> > 
> > Upstream ripped out monlist in favour of mrulist:
> > http://bugs.ntp.org/show_bug.cgi?id=1531
> > http://bugs.ntp.org/show_bug.cgi?id=1532
> 
> Which just means they need to send a different packet to do this?

Apparently mrulist is not affected by the amplification attack.
 
> > We could
> > - Provide 4.2.7 for stable-security (or backport the changes if not too
> >   intrusive)
> > - Ignore this for stable-security and offer 4.2.7 in backports.debian.org for
> >   those sites which run a public NTP server
> > - Ignore this altogether since it doesn't affect the standard configuration and
> >   operators of large public NTP servers most definitely have updated to 4.2.7
> >   already or deployed other workarounds.
> 
> I'm really going to go for ignore on this.  People should just use
> the noquery option and only allow it from trusted IP addresses.
> That is the only real fix.

Ok, let's ignore it. Marked as such in the Debian Security Tracker.

Cheers,
        Moritz

Message #20 received at 733940@bugs.debian.org (full text, mbox, reply):

From: martin f krafft <madduck@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>, 733940@bugs.debian.org

Cc: Kurt Roeckx <kurt@roeckx.be>

Subject: Re: Bug#733940: [pkg-ntp-maintainers] Bug#733940: ntp: CVE-2013-5211

Date: Mon, 27 Jan 2014 15:53:32 +0100

[Message part 1 (text/plain, inline)]

also sprach Moritz Mühlenhoff <jmm@inutil.org> [2014-01-16 22:46 +0100]:
> Ok, let's ignore it. Marked as such in the Debian Security Tracker.

Please reconsider this decision. Operators of most of the public NTP
servers (pool.ntp.org *was* founded by a DD!) don't just deploy
software aside from their distro and effectively, I think that by
ignoring the problem, Debian is actively being a part of the
vastly-increasing problem of dDoS-reflection/amplification attacks.

-- 
 .''`.   martin f. krafft <madduck@d.o>      Related projects:
: :'  :  proud Debian developer               http://debiansystem.info
`. `'`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems

[digital_signature_gpg.asc (application/pgp-signature, inline)]

Message #25 received at 733940@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: martin f krafft <madduck@debian.org>

Cc: Moritz Mühlenhoff <jmm@inutil.org>, 733940@bugs.debian.org

Subject: Re: Bug#733940: [pkg-ntp-maintainers] Bug#733940: ntp: CVE-2013-5211

Date: Mon, 27 Jan 2014 18:31:40 +0100

On Mon, Jan 27, 2014 at 03:53:32PM +0100, martin f krafft wrote:
> also sprach Moritz Mühlenhoff <jmm@inutil.org> [2014-01-16 22:46 +0100]:
> > Ok, let's ignore it. Marked as such in the Debian Security Tracker.
> 
> Please reconsider this decision. Operators of most of the public NTP
> servers (pool.ntp.org *was* founded by a DD!) don't just deploy
> software aside from their distro and effectively, I think that by
> ignoring the problem, Debian is actively being a part of the
> vastly-increasing problem of dDoS-reflection/amplification attacks.

I'm not sure what you're suggesting.  We ship a default config for
*years* that doesn't have this problems.  If Debian systems are
also part of the problem, it's because the administrator changed
the defaults, and changing the defaults again isn't going to fix
it.

I'm also not sure uploading a 4.2.7 development snapshot to
stable-security is a good idea, it's not even in unstable yet
since it's not yet a stable release, and I know it still has
problems.

You might also want to look at http://openntpproject.org/

If you think people from the pool are still vulnerable to this, I
suggest you contact Ask Bjørn Hansen <ask@ntppool.org> to get a
IP address and contacts.


Kurt

Message #30 received at 733940@bugs.debian.org (full text, mbox, reply):

From: martin f krafft <madduck@debian.org>

To: Kurt Roeckx <kurt@roeckx.be>

Cc: Moritz Mühlenhoff <jmm@inutil.org>, 733940@bugs.debian.org

Subject: Re: Bug#733940: [pkg-ntp-maintainers] Bug#733940: ntp: CVE-2013-5211

Date: Mon, 27 Jan 2014 19:35:34 +0100

[Message part 1 (text/plain, inline)]

also sprach Kurt Roeckx <kurt@roeckx.be> [2014-01-27 18:31 +0100]:
> I'm not sure what you're suggesting.

Neither, but ignoring the problem isn't okay either, I feel. At the
very least, Debian should pressure ntp.org to release a security
upgrade for 4.2.6… and then ideally there'd be a new keyword like
noquery except that actual NTP queries would be okay, but nothing
else.

-- 
 .''`.   martin f. krafft <madduck@d.o>      Related projects:
: :'  :  proud Debian developer               http://debiansystem.info
`. `'`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems
 
"when women love us, they forgive us everything, even our crimes;
 when they do not love us, they give us credit for nothing,
 not even our virtues."
                                                   -- honoré de balzac

[digital_signature_gpg.asc (application/pgp-signature, inline)]

Message #35 received at 733940@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: martin f krafft <madduck@debian.org>

Cc: Kurt Roeckx <kurt@roeckx.be>, 733940@bugs.debian.org

Subject: Re: Bug#733940: [pkg-ntp-maintainers] Bug#733940: ntp: CVE-2013-5211

Date: Mon, 27 Jan 2014 19:42:46 +0100

On Mon, Jan 27, 2014 at 07:35:34PM +0100, martin f krafft wrote:
> also sprach Kurt Roeckx <kurt@roeckx.be> [2014-01-27 18:31 +0100]:
> > I'm not sure what you're suggesting.
> 
> Neither, but ignoring the problem isn't okay either, I feel. At the
> very least, Debian should pressure ntp.org to release a security
> upgrade for 4.2.6… and then ideally there'd be a new keyword like
> noquery except that actual NTP queries would be okay, but nothing
> else.

You're prefer to propose a patch, otherwise talk is cheap.

Cheers,
        Moritz

Message #40 received at 733940@bugs.debian.org (full text, mbox, reply):

From: martin f krafft <madduck@debian.org>

To: Kurt Roeckx <kurt@roeckx.be>

Cc: Moritz Mühlenhoff <jmm@inutil.org>, 733940@bugs.debian.org

Subject: Re: Bug#733940: [pkg-ntp-maintainers] Bug#733940: ntp: CVE-2013-5211

Date: Mon, 27 Jan 2014 19:52:06 +0100

[Message part 1 (text/plain, inline)]

also sprach martin f krafft <madduck@debian.org> [2014-01-27 19:35 +0100]:
> Neither, but ignoring the problem isn't okay either, I feel. At the
> very least, Debian should pressure ntp.org to release a security
> upgrade for 4.2.6… and then ideally there'd be a new keyword like
> noquery except that actual NTP queries would be okay, but nothing
> else.

Nevermind me, I completely misunderstood the meaning of noquery. :(

-- 
 .''`.   martin f. krafft <madduck@d.o>      Related projects:
: :'  :  proud Debian developer               http://debiansystem.info
`. `'`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems
 
beauty, brains, availability, personality; pick any two.

[digital_signature_gpg.asc (application/pgp-signature, inline)]

Message #45 received at 733940@bugs.debian.org (full text, mbox, reply):

From: Xin Li <delphij@delphij.net>

To: 733940@bugs.debian.org

Subject: Re: ntp: CVE-2013-5211

Date: Tue, 18 Feb 2014 17:28:15 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

Just FYI, we (FreeBSD) have disabled 'monlist' feature by default in
our ntpd for now (so one have to explicitly enable it to be vulnerable).

Given the fact that this issue is worsening over time, I would
recommend you to consider similar mitigation measure until NTP 4.2.8
is out.

Patch can be found at:

	http://security.freebsd.org/patches/SA-14:02/ntpd.patch

(Patch can be verified against our PGP signature, see original
security advisory):

	http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc

Cheers,
- -- 
Xin LI <delphij@delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iQIcBAEBCgAGBQJTBAivAAoJEJW2GBstM+ns5KwP/iET2GUTBVIC313/ZABegJ/Z
klqvtGLM3bGSaOIPPV3S2S+pRC/0mDF8omGvc4gOpXNb3Yn23EIN4yaqmQ/6E+v7
ixjlBiaaEllzRrkCOD/ueXlDLFUHhESneE/ZbYw97SkiQH/ZgNltWRa/hrmkgyqN
DUp7f+aTiMSBFld8wXLzG+4vG8O6rs50vC8UNW5LWzqak+RzReZRdT8sRFXMLOMv
246x0nwMyJ/PvR/WOWIzGzxeQyqP7ByIdIvVeMm/dQlDVelWyBTnS8Hwa2534Vdd
CjbRtAvCecOklVhZ843iKqsObhf+FA496WKEv7mC2w6ATuCgvPERAtRlb7gcrzbH
5Ga6u4yK0PkMiAssdAWCtKR1ohkst/ariJD0xEFu6/IuLwWcHZDop7J6vECqjBVl
kiE6P/5PoIiywauYWP/xngx726RZhfWbXJ9eEa5Kpsg4LIhtxu18jYwTsItiOcUa
5cB5uVfTGjFXm7Z3uAWJIbJ/ZK1O+yl/dHiHqY6FaBTMu/HmlE9uRdg/yv9kuT4i
SoDu8GgXQ9dj+XGslxdBk2ysyDHzhU90i4ww5QiZVw6rrEv/Eoc0cZdOVLjc5opY
OveBIjLcr6Cv87dKeAVHgQfPxp9yBGPeqo0d6TUZQdL+lsA+/Nh+qthJre4KfgsD
xJcjQQR+gVR7Dk0hQZB1
=TC6r
-----END PGP SIGNATURE-----

Message #50 received at 733940@bugs.debian.org (full text, mbox, reply):

From: "Michael Evans" <michael.evans@nor-consult.com>

To: <733940@bugs.debian.org>

Subject: ntp missing security update, previously advised service configurations allow DDoS amplification attack prior to upstream 4.2.7p26

Date: Mon, 19 May 2014 13:13:05 -0700

[Message part 1 (text/plain, inline)]

The severity of this bug should be critical.

 

The default shipped configuration file /may/ be secure, but does not
adequately document /why/ it is secure.  Previous versions of the
AccessRestrictions documentation (prior to likely someone early this year
when the NTP reflection attacks became popular) appeared to advise removing
the noquery attribute, and thus many administrators who wanted to provide a
public facing server properly followed the guidance to remove it.  Since
that time there has been no Debian security advisory that this is an
insecure modification to the configuration.  It is also not something which
someone would consider to be related even if they are aware of NTP
amplification attacks.

I am requesting a change in severity level to critical given that with
previously advised (even if not by Debian example) configurations this
software "introduces a security hole on systems where you install the
package" which may be used to provide a denial of service attack to/from
systems with the effected version/configuration.

 

As a temporary solution "disabling monitor" or adding "noquery" to internet
facing services is required (and //should be documented as such in config
comments// if an update to this package is not provided); however the
updated software disables the responses that are used in the reflection
attacks without completely disabling other responses that may be useful as
an NTP server.  The previously supplied freebsd patch appears to provide the
same type of improvement and if chosen instead should be documented as such
in the example config file (so that it is obvious this is fixed with
something not present upstream).

 

http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.1.1.3
.

 

http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Atta
ck_using

 

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5211

 

http://www.kb.cert.org/vuls/id/348126

 

[Message part 2 (text/html, inline)]

Message #55 received at 733940@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: Michael Evans <michael.evans@nor-consult.com>, 733940@bugs.debian.org

Subject: Re: [pkg-ntp-maintainers] Bug#733940: ntp missing security update, previously advised service configurations allow DDoS amplification attack prior to upstream 4.2.7p26

Date: Mon, 19 May 2014 23:13:05 +0200

On Mon, May 19, 2014 at 01:13:05PM -0700, Michael Evans wrote:
> 
> The default shipped configuration file /may/ be secure, but does not
> adequately document /why/ it is secure.  Previous versions of the
> AccessRestrictions documentation (prior to likely someone early this year
> when the NTP reflection attacks became popular) appeared to advise removing
> the noquery attribute

Please say where this appeared to have been adviced.  I can't
remember this ever being recommended, at least not in the
documentation.  I think the comment in the default config file
we ship should also be more than clear enough.  I think this is
mostly a problem for people *not* reading documentation or
comments.


Kurt

Message #60 received at 733940@bugs.debian.org (full text, mbox, reply):

From: "Michael Evans" <michael.evans@nor-consult.com>

To: "'Kurt Roeckx'" <kurt@roeckx.be>, <733940@bugs.debian.org>

Subject: RE: [pkg-ntp-maintainers] Bug#733940: ntp missing security update, previously advised service configurations allow DDoS amplification attack prior to upstream 4.2.7p26

Date: Mon, 19 May 2014 14:31:42 -0700

I cannot comment about the current default configuration value, but at least
historically it is not clearly documented that the noquery attribute is
related to preventing NTP security issues, or even /why/ that is the Debian
default.  The previous upstream documentation (which someone would only
think to look at when initially configuring a server) lacked a warning about
the noquery attribute preventing NTP reflection attacks (it now includes it)
and currently advises either running very recent releases with that
parameter or not at all.

The quite patch supplied about 3 months ago, by description at least,
appears to be a backport of the security functionality of allowing the
'safer' query operations while disabling those which are used in NTP
reflection attacks.

Proper documentation for a config only solution to this might look something
like:

# http://support.ntp.org/bin/view/Support/AccessRestrictions  -  ALERT!
Users of NTP versions prior to 4.2.7p26 should either use noquery or disable
monitor to ensure their ntpd is not used in a DRDoS Amplification Attack
# Debian currently ships from the stable release tree (4.2.6) which is
vulnerable to NTP reflection attacks /unless/ noquery is set for public
facing responses.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery


The older, modified configuration file only referenced a local cache of and
the directly linked upstream page as documentation for these parameters,
which at least previously (at some point), did not advise setting noquery in
all circumstances.

-----Original Message-----
From: Kurt Roeckx [mailto:kurt@roeckx.be] 
Sent: Monday, May 19, 2014 2:13 PM
To: Michael Evans; 733940@bugs.debian.org
Subject: Re: [pkg-ntp-maintainers] Bug#733940: ntp missing security update,
previously advised service configurations allow DDoS amplification attack
prior to upstream 4.2.7p26

On Mon, May 19, 2014 at 01:13:05PM -0700, Michael Evans wrote:
> 
> The default shipped configuration file /may/ be secure, but does not 
> adequately document /why/ it is secure.  Previous versions of the 
> AccessRestrictions documentation (prior to likely someone early this 
> year when the NTP reflection attacks became popular) appeared to 
> advise removing the noquery attribute

Please say where this appeared to have been adviced.  I can't remember this
ever being recommended, at least not in the documentation.  I think the
comment in the default config file we ship should also be more than clear
enough.  I think this is mostly a problem for people *not* reading
documentation or comments.


Kurt

Message #65 received at 733940-done@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@birkenwald.de>

To: Moritz Muehlenhoff <jmm@inutil.org>, 733940-done@bugs.debian.org

Subject: Re: Bug#733940: ntp: CVE-2013-5211

Date: Thu, 16 Aug 2018 23:07:51 +0200

Version: 1:4.2.8p3+dfsg-1

On Thu, Jan 02, 2014 at 02:04:04PM +0100, Moritz Muehlenhoff wrote:

Hi,

> This was assigned CVE-2013-5211:
> https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks
> http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks
> 
> Upstream ripped out monlist in favour of mrulist:
> http://bugs.ntp.org/show_bug.cgi?id=1531
> http://bugs.ntp.org/show_bug.cgi?id=1532

Since this was fixed in 4.2.8 (included in Stretch) and deemed no-dsa by
the security-team I'm closing this bug with the first fixed version in
the archive.

Bernhard

Send a report that this bug log contains spam.