From owner-freebsd-security@FreeBSD.ORG  Sat Mar 15 03:35:59 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id DCB932C2;
 Sat, 15 Mar 2014 03:35:59 +0000 (UTC)
Received: from mail.lariat.net (mail.lariat.net [66.62.230.51])
 by mx1.freebsd.org (Postfix) with ESMTP id 7EFDA403;
 Sat, 15 Mar 2014 03:35:58 +0000 (UTC)
Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost
 [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id VAA27118;
 Fri, 14 Mar 2014 21:35:53 -0600 (MDT)
Message-Id: <201403150335.VAA27118@mail.lariat.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Fri, 14 Mar 2014 21:30:30 -0600
To: Dimitry Andric <dim@FreeBSD.org>
From: Brett Glass <brett@lariat.org>
Subject: Re: NTP security hole CVE-2013-5211?
In-Reply-To: <106CC1B8-932F-44CD-B307-C5B470359ABD@FreeBSD.org>
References: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org>
 <52CEAD69.6090000@grosbein.net>
 <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org>
 <52CF82C0.9040708@delphij.net>
 <CAO82ECEsS-rKq7A-9w7VuxKpe_c_f=tvZQoRKgHEfi-yPdNeGQ@mail.gmail.com>
 <86d2jud85v.fsf@nine.des.no> <52D7A944.70604@wenks.ch>
 <201403141700.LAA21140@mail.lariat.net>
 <106CC1B8-932F-44CD-B307-C5B470359ABD@FreeBSD.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Cc: freebsd-security@FreeBSD.org, Fabian Wenk <fabian@wenks.ch>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Mar 2014 03:35:59 -0000

At 02:27 PM 3/14/2014, Dimitry Andric wrote:

>It looks like you missed 
>http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc 
>then?  Which was released on Jan 14, and has all the instructions 
>how to patch your system.

I did not miss the advisory. The "solution" given in the advisory 
-- patching ntpd -- is necessary but not sufficient. The 
configuration file must also be changed, because the system will 
still serve as a relay for attacks if the default ntp.conf (or one 
like it) is used. The lines

# Stop amplification attacks via NTP servers
disable monitor
restrict default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict 127.127.1.0
# Note: Comment out these lines on machines without IPv6
restrict -6 default kod nomodify notrap nopeer noquery
restrict -6 ::1

Note that these lines are similar to those in the "workaround" 
section of the advisory but add the command "disable monitor" and 
add the "kod" option (which may quell queries from some exploited systems).

--Brett Glass