Date: Tue, 14 Jan 2014 13:41:02 +0100 From: Patrick Lamaiziere <patfbsd@davenulle.org> To: freebsd-security@freebsd.org Cc: delphij@delphij.net Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <20140114134102.2be3198b@mr185083> In-Reply-To: <52CF82C0.9040708@delphij.net> References: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org> <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> <52CF82C0.9040708@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Le Thu, 09 Jan 2014 21:18:56 -0800, Xin Li <delphij@delphij.net> a écrit : > On 1/9/14, 6:12 AM, Palle Girgensohn wrote: > > > > 9 jan 2014 kl. 15:08 skrev Eugene Grosbein <eugen@grosbein.net>: > > > >> On 09.01.2014 19:38, Palle Girgensohn wrote: > >>> They recommend at least 4.2.7. Any thoughts about this? > >> > >> Other than updating ntpd, you can filter out requests to > >> 'monlist' command with 'restrict ... noquery' option that > >> disables some queries for the internal ntpd status, including > >> 'monlist'. > >> > >> See http://support.ntp.org/bin/view/Support/AccessRestrictions > >> for details. > > > > Yes. But shouldn't there be a security advisory for FreeBSD > > specifically? > > We will have an advisory next week. If a NTP server is properly > configured, it's likely that they are not affected (the old FreeBSD > default is a little bit vague on how to properly configure the daemon, > though; the new default on -CURRENT and supported -STABLE branches > should be sufficient to provide protection). I've tried the -current ntpd.conf. Looks good here, my ntpd (used as client) is under attack since two days :( (15000 packets/s in) Ntpd does not reply anymore but it eats more cpu (~8%), for a client the best is to filter out the port udp/123. The attack is on the ntp command "MON_GETLIST". Regards,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140114134102.2be3198b>