-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2014-002 ================================= Topic: ntpd used as DDoS amplifier Version: NetBSD-current: source prior to Dec 27th, 2013 NetBSD 6.1: affected NetBSD 6.0 - 6.0.2: affected NetBSD 5.1 - 5.1.2: affected NetBSD 5.2: affected Severity: DDoS participation Fixed: NetBSD-current: Dec 27th, 2013 NetBSD-6-0 branch: Jan 6th, 2014 NetBSD-6-1 branch: Jan 6th, 2014 NetBSD-6 branch: Jan 6th, 2014 NetBSD-5-2 branch: Jan 6th, 2014 NetBSD-5-1 branch: Jan 6th, 2014 NetBSD-5 branch: Jan 6th, 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== An administrative query function is getting used by attackers to use ntp servers as traffic amplifiers. The new version no longer offers this query option. Technical Details ================= The monlist function, which is available in ntp prior to 4.2.7 to requestors who are allowed to 'query', yields potentially sizeable traffic in response to a small query packet, and can thus get used for amplification attacks. Solutions and Workarounds ========================= Workaround: in ntp.conf, setting 'restrict default noquery' will prevent amplification to random targets (the remaining targets would be those allowed to query by their own restrict entries). Note that this setting does not disallow time synchronization, but instead querying for the list of peers and other administrative and informative data. See /usr/share/doc/html/ntp/accopt.html for information on ntpd access control configuration options. Solution: Updating the ntpd binary so it no longer offers the abused function, as well as updating ntp.conf so it offers less attack surface. ntpd source: update to HEAD src/external/bsd/ntp/dist/ntpd/ntp_request.c netbsd-6 src/external/bsd/ntp/dist/ntpd/ntp_request.c 1.7.2.1 netbsd-6-1 src/external/bsd/ntp/dist/ntpd/ntp_request.c 1.7.16.1 netbsd-6-0 src/external/bsd/ntp/dist/ntpd/ntp_request.c 1.7.8.1 netbsd-5 src/dist/ntp/ntpd/ntp_request.c 1.8.4.2 netbsd-5-2 src/dist/ntp/ntpd/ntp_request.c 1.8.4.1.6.1 netbsd-5-1 src/dist/ntp/ntpd/ntp_request.c 1.8.4.1.2.1 default configuration file update: HEAD src/etc/ntp.conf 1.18 netbsd-6 src/etc/ntp.conf 1.14.2.1 netbsd-6-1 src/etc/ntp.conf 1.14.16.1 netbsd-6-0 src/etc/ntp.conf 1.14.8.1 netbsd-5 src/etc/ntp.conf 1.9.20.1 netbsd-5-2 src/etc/ntp.conf 1.9.36.1 netbsd-5-1 src/etc/ntp.conf 1.9.28.1 Thanks To ========= Thanks to Erik Fair for bringing the issue to our attention and suggesting a fix. Revision History ================ 2014-01-07 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-002.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2014-002.txt,v 1.2 2014/01/07 21:04:33 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (NetBSD) iQIcBAEBAgAGBQJSzGwhAAoJEAZJc6xMSnBuQX4P/j3dERFgvL95fxrHQViQlv9k G9G+IRFnvFdR1NvEY2j+qsLPW2zLIzBWdAODsHekgcnkQd3NXuwjo2pojC99SEkX kuGGyxo0RxuH98iQAco6rAqLsePkHYXxWwYPkLhKflPi4XUyb2ApWwh+O83ac/dg ochBbSIkjmKOX7w2isFP0NDiTi9AsgSWjsKj/MhRMhHpMHKqV6AaOmgwyZavntL3 73dnrfFLTdY54ZkyVRdS/6rgqPDACA9V1nLeGvdRovBWyyIcB/J+9g1xzWapnydm SNHN6mW0I1uFPx5equERwRkI1Vz68tfQwvf3VWEFkx1vTHJ+cF94P4RVz1WFwxKu tEwxpTuZCdUXEKCPmjd74Eo3Wgy2JHGgmpNvmwiOEfLHtHvwtZn05GxtLeGlb77k BNX8/MWmMNYqOARr3EXIgIxCdZgozhzXBXqqiUhM9gSCJykS9RdSbQYudrtHkXYM e3HcKsSTBDVwwBkca7UAncFcqCBKosd2dIrR9NaCe8aY+ZXt4RR3y4ipi686cvnC 9PSbp2PAIcb83CNKprglxceIZD93KZj37H8tW2IPmCrrjGXDqB4s4vXpEAwcxlNf RlMATwqz7ZmCIybg1/MI1E4/j/1EWHES/w9OAUvhCPk6WPIRpT5Zxv6MKE7XNleB NdDEOoZ4KpVo4ereausV =8eAi -----END PGP SIGNATURE-----