From owner-freebsd-security@FreeBSD.ORG Tue Jan 14 12:46:57 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E8B9BB6C for ; Tue, 14 Jan 2014 12:46:57 +0000 (UTC) Received: from smtp.lamaiziere.net (net.lamaiziere.net [37.59.62.186]) by mx1.freebsd.org (Postfix) with ESMTP id AD0A61148 for ; Tue, 14 Jan 2014 12:46:56 +0000 (UTC) Received: from mr185083.univ-rennes1.fr (mr185083.univ-rennes1.fr [129.20.185.83]) by smtp.lamaiziere.net (Postfix) with ESMTPA id E62E72B09; Tue, 14 Jan 2014 13:41:02 +0100 (CET) Received: from mr185083 (localhost [127.0.0.1]) by mr185083.univ-rennes1.fr (Postfix) with ESMTP id 7EAD970B7; Tue, 14 Jan 2014 13:41:02 +0100 (CET) Date: Tue, 14 Jan 2014 13:41:02 +0100 From: Patrick Lamaiziere To: freebsd-security@freebsd.org Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <20140114134102.2be3198b@mr185083> In-Reply-To: <52CF82C0.9040708@delphij.net> References: <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> <52CF82C0.9040708@delphij.net> X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; amd64-portbld-freebsd9.2) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (smtp.lamaiziere.net [0.0.0.0]); Tue, 14 Jan 2014 13:41:02 +0100 (CET) Cc: delphij@delphij.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 12:46:58 -0000 Le Thu, 09 Jan 2014 21:18:56 -0800, Xin Li a écrit : > On 1/9/14, 6:12 AM, Palle Girgensohn wrote: > > > > 9 jan 2014 kl. 15:08 skrev Eugene Grosbein : > > > >> On 09.01.2014 19:38, Palle Girgensohn wrote: > >>> They recommend at least 4.2.7. Any thoughts about this? > >> > >> Other than updating ntpd, you can filter out requests to > >> 'monlist' command with 'restrict ... noquery' option that > >> disables some queries for the internal ntpd status, including > >> 'monlist'. > >> > >> See http://support.ntp.org/bin/view/Support/AccessRestrictions > >> for details. > > > > Yes. But shouldn't there be a security advisory for FreeBSD > > specifically? > > We will have an advisory next week. If a NTP server is properly > configured, it's likely that they are not affected (the old FreeBSD > default is a little bit vague on how to properly configure the daemon, > though; the new default on -CURRENT and supported -STABLE branches > should be sufficient to provide protection). I've tried the -current ntpd.conf. Looks good here, my ntpd (used as client) is under attack since two days :( (15000 packets/s in) Ntpd does not reply anymore but it eats more cpu (~8%), for a client the best is to filter out the port udp/123. The attack is on the ntp command "MON_GETLIST". Regards,