[ntp:security] NTP Mode 6 readvar Amplification Issue
Thomas, Sean A
thoma59d at erau.edu
Thu Oct 9 21:14:21 UTC 2014
All,
There is the potential for abuse of the NTP Version Command (Mode 6 query
READVAR) which can be used in an amplification attack. Based on reports
from the ShadowServer Foundation, the command:
ntpq -c rv [ip]
can be used to generate approximately 30x amplification. We would like to
know why this has not been identified as a "bug" nor a CVE issued
accordingly. Can Mitre please issue a CVE for this issue, and NTP.org
provide appropriate mitigations and/or an updated version of the product
which is not susceptible to this.
One of my colleagues has implemented a change in the ntp.conf file on one
susceptible system:
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
which effectively stops all ntpq and ntpdc queries. This appears to be a
limited-use mitigation, as there may be a legitimate use for these queries,
and there may be some as-yet unobserved consequences. The impact on this
mitigation will vary depending on implementation and environment. This
issue appears to impact many implementations of NTP.
I have linked several references below based on the limited information
provided to us in the notification from ShadowServer when the susceptible
system was discovered.
https://www.shadowserver.org/wiki/pmwiki.php/Services/NTP-Version
https://ntpscan.shadowserver.org/
http://rapid7.org/db/vulnerabilities/ntp-clock-variables-disclosure
Thorough search of the CVE database has resulted in only one hit for the
keyword "readvar" which is for what appears to be an unrelated issue.
Thank you,
Sean
_____
Sean A. Thomas, GCED, GCFA
Systems Administrator - IT Security Services
Information Technology
Embry-Riddle Aeronautical University
Daytona Beach, FL
Office: 386-226-6193
<mailto:Sean.Thomas at erau.edu> Sean.Thomas at erau.edu
cid:3333950106_182562
Any technology questions or issues, please contact IT Support at
386-226-6990
GIAC_Gold_SmallGCED_Silver_SmallGCFA_Silver_Small
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20141009/86d4d1a1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 23014 bytes
Desc: not available
URL: <http://lists.ntp.org/private/security/attachments/20141009/86d4d1a1/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 1554 bytes
Desc: not available
URL: <http://lists.ntp.org/private/security/attachments/20141009/86d4d1a1/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.jpg
Type: image/jpeg
Size: 1590 bytes
Desc: not available
URL: <http://lists.ntp.org/private/security/attachments/20141009/86d4d1a1/attachment-0004.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.jpg
Type: image/jpeg
Size: 1541 bytes
Desc: not available
URL: <http://lists.ntp.org/private/security/attachments/20141009/86d4d1a1/attachment-0005.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4872 bytes
Desc: not available
URL: <http://lists.ntp.org/private/security/attachments/20141009/86d4d1a1/attachment-0001.bin>
More information about the security
mailing list