NTP security hole CVE-2013-5211?
Brett Glass
brett at lariat.org
Sat Mar 15 03:35:59 UTC 2014
At 02:27 PM 3/14/2014, Dimitry Andric wrote:
>It looks like you missed
>http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc
>then? Which was released on Jan 14, and has all the instructions
>how to patch your system.
I did not miss the advisory. The "solution" given in the advisory
-- patching ntpd -- is necessary but not sufficient. The
configuration file must also be changed, because the system will
still serve as a relay for attacks if the default ntp.conf (or one
like it) is used. The lines
# Stop amplification attacks via NTP servers
disable monitor
restrict default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict 127.127.1.0
# Note: Comment out these lines on machines without IPv6
restrict -6 default kod nomodify notrap nopeer noquery
restrict -6 ::1
Note that these lines are similar to those in the "workaround"
section of the advisory but add the command "disable monitor" and
add the "kod" option (which may quell queries from some exploited systems).
--Brett Glass
More information about the freebsd-security
mailing list