[ntp:security] NTP Mode 6 readvar Amplification Issue

Thomas, Sean A thoma59d at erau.edu
Thu Oct 9 21:14:21 UTC 2014


All,

 

There is the potential for abuse of the NTP Version Command (Mode 6 query
READVAR) which can be used in an amplification attack.  Based on reports
from the ShadowServer Foundation, the command:

 

ntpq -c rv [ip]

 

can be used to generate approximately 30x amplification.  We would like to
know why this has not been identified as a "bug" nor a CVE issued
accordingly.  Can Mitre please issue a CVE for this issue, and NTP.org
provide appropriate mitigations and/or an updated version of the product
which is not susceptible to this.

 

 

One of my colleagues has implemented a change in the ntp.conf file on one
susceptible system:

 

restrict default nomodify notrap nopeer noquery

restrict 127.0.0.1 

 

which effectively stops all ntpq and ntpdc queries.  This appears to be a
limited-use mitigation, as there may be a legitimate use for these queries,
and there may be some as-yet unobserved consequences.  The impact on this
mitigation will vary depending on implementation and environment.  This
issue appears to impact many implementations of NTP.

 

I have linked several references below based on the limited information
provided to us in the notification from ShadowServer when the susceptible
system was discovered.

 

https://www.shadowserver.org/wiki/pmwiki.php/Services/NTP-Version

https://ntpscan.shadowserver.org/

http://rapid7.org/db/vulnerabilities/ntp-clock-variables-disclosure

 

Thorough search of the CVE database has resulted in only one hit for the
keyword "readvar" which is for what appears to be an unrelated issue.  

 

Thank you,

 

Sean

 

  _____  

Sean A. Thomas, GCED, GCFA

Systems Administrator - IT Security Services

Information Technology

Embry-Riddle Aeronautical University

Daytona Beach, FL

Office: 386-226-6193

 <mailto:Sean.Thomas at erau.edu> Sean.Thomas at erau.edu

 

cid:3333950106_182562

 

Any technology questions or issues, please contact IT Support at
386-226-6990

 

GIAC_Gold_SmallGCED_Silver_SmallGCFA_Silver_Small

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20141009/86d4d1a1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 23014 bytes
Desc: not available
URL: <http://lists.ntp.org/private/security/attachments/20141009/86d4d1a1/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 1554 bytes
Desc: not available
URL: <http://lists.ntp.org/private/security/attachments/20141009/86d4d1a1/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.jpg
Type: image/jpeg
Size: 1590 bytes
Desc: not available
URL: <http://lists.ntp.org/private/security/attachments/20141009/86d4d1a1/attachment-0004.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.jpg
Type: image/jpeg
Size: 1541 bytes
Desc: not available
URL: <http://lists.ntp.org/private/security/attachments/20141009/86d4d1a1/attachment-0005.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4872 bytes
Desc: not available
URL: <http://lists.ntp.org/private/security/attachments/20141009/86d4d1a1/attachment-0001.bin>


More information about the security mailing list