Bug 889447

Summary: NTP vulnerable to NTP Amplification Attacks Using CVE-2013-5211
Product: [openSUSE] openSUSE 13.1 Reporter: Forgotten User 1-yzHWP3HO <forgotten_1-yzHWP3HO>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: meissner
Version: Final   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE 13.1   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Forgotten User 1-yzHWP3HO 2014-07-29 21:05:36 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0

see:

https://www.us-cert.gov/ncas/alerts/TA14-013A

I have seen this working on fully patched 13.1 systems. I am pretty sure older versions, platforms as well as SLES also is affected.


Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Actual Results:  
13:31 <xxxx> ntpdc> monlist
13:31 <xxxx> remote address          port local address      count m ver rstr avgint  lstint
13:31 <xxxx> ===============================================================================
13:31 <xxxx> ntp2.m-online.net        123 188.40.154.1           1 4 4      0     48      48
[etc]

Expected Results:  
14:54 <snowpa> roeland.cust.sigio.nl: timed out, nothing received
14:54 <snowpa> ***Request timed out
14:54 <snowpa> ntpdc> 


adding to /etc/ntp.conf:

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

and restart, mitigates this for the moment.
Comment 1 Marcus Meissner 2014-07-30 06:12:01 UTC 
we have published an advisory for this and will be soon publishing an ntp update with adjusted default templates.

http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00005.html

http://support.novell.com/security/cve/CVE-2013-5211.html

*** This bug has been marked as a duplicate of bug 857195 ***