Ubuntu
ntp package

CVE-2013-5211 ntp DDos

Bug #1268543 reported by Matteo Bertini
304
This bug affects 10 people
Affects Status Importance Assigned to Milestone
ntp (Debian)
Fix Released
Unknown
ntp (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211

http://bugs.ntp.org/show_bug.cgi?id=1532

CVE References

Robie Basak (racb)
information type: Public → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ntp (Ubuntu):
status: New → Confirmed
Revision history for this message
Sven Neuhaus (sven0) wrote :

There are some configuration changes that can help mitigate this issue until an updated package is released described at http://www.meinbergglobal.com/english/news/meinberg-security-advisory-mbgsa-1401-ntp-monlist-network-traffic-amplification-attacks.htm

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The default ntp.conf in Ubuntu contains noquery, so monlist is disabled by default. Sites that need monlist should restrict it from known trusted IPs. Upstream has now removed monlist in ntp in favour of mrulist.

Since the default configuration isn't vulnerable, there is a recommended way to configure it for sites that require it, and the changes would be too intrusive to backport, we have no plans to fix this in our stable releases.

When upstream releases 4.2.8, it will likely make it's way to Ubuntu from Debian.

Changed in ntp (Ubuntu):
status: Confirmed → Won't Fix
Bug Watch Updater (bug-watch-updater)
Changed in ntp (Debian):
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in ntp (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.