The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of ntp.org: distributed denial of service via monlist

Synthesis of the vulnerability

An attacker can use monlist of ntp.org, in order to trigger a distributed denial of service.
Severity of this weakness: 2/4.
Creation date: 31/12/2013.
Références of this bulletin: 1532, BID-64692, c04084148, CERTA-2014-AVI-034, CERTFR-2014-AVI-069, CERTFR-2014-AVI-112, CERTFR-2014-AVI-117, CERTFR-2014-AVI-244, CERTFR-2014-AVI-526, CSCtd75033, CSCum44673, CSCum52148, CSCum76937, CSCun84909, CSCur38341, CVE-2013-5211, ESX400-201404001, ESX400-201404402-SG, ESX410-201404001, ESX410-201404402-SG, ESXi400-201404001, ESXi400-201404401-SG, ESXi410-201404001, ESXi410-201404401-SG, ESXi510-201404001, ESXi510-201404101-SG, ESXi510-201404102-SG, ESXi550-201403101-SG, FreeBSD-SA-14:02.ntpd, HPSBUX02960, JSA10613, MBGSA-1401, NetBSD-SA2014-002, openSUSE-SU-2014:0949-1, openSUSE-SU-2014:1149-1, sk98758, SSA:2014-044-02, SSRT101419, VIGILANCE-VUL-14004, VMSA-2014-0002, VMSA-2014-0002.1, VMSA-2014-0002.2, VMSA-2014-0002.4, VMSA-2015-0001.

Description of the vulnerability

The ntp.org service implements the "monlist" command, which returns the list of the 600 last clients which connected to the server.

However, the size of the reply is larger than the size of the query. Moreover, public NTP servers request no authentication, and UDP packets can be spoofed.

An attacker can therefore use monlist of ntp.org, in order to trigger a distributed denial of service.
Full Vigil@nce bulletin... (Request your free trial)

This cybersecurity note impacts software or systems such as GAiA, CheckPoint IP Appliance, IPSO, Provider-1, CheckPoint Security Appliance, CheckPoint Security Gateway, Cisco ASR, Cisco Catalyst, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Nexus by Cisco, NX-OS, Cisco Router, Cisco CUCM, Cisco Unified CCX, Cisco MeetingPlace, FreeBSD, HP-UX, AIX, Juniper J-Series, Junos OS, Meinberg NTP Server, NetBSD, NTP.org, openSUSE, Solaris, Trusted Solaris, pfSense, Puppet, Slackware, ESX, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor.

Our Vigil@nce team determined that the severity of this computer weakness announce is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this cybersecurity vulnerability.

Solutions for this threat

ntp.org: workaround for monlist.
A workaround is to configure:
  restrict default nomodify nopeer noquery notrap
  restrict -6 default nomodify nopeer noquery notrap
  restrict 127.0.0.1
  restrict -6 ::1
  restrict 127.127.1.0

Meinberg NTP Server: workaround for monlist.
A workaround is indicated in the information source.

pfSense: version 2.1.1.
The version 2.1.1 is fixed:
  http://www.pfsense.org/

AIX: solution for NTP.
The solution is indicated in information sources.

Check Point Security Gateway: workaround for NTP.
If the NTP client is enabled, the NTP server is automatically started, so a workaround is to filter the NTP traffic.

Cisco IOS, XE, XR: solution CSCtd75033.
The solution CSCtd75033 is available:
  https://tools.cisco.com/bugsearch/bug/CSCtd75033

Cisco NX-OS: solution CSCum52148.
The solution CSCum52148 is available:
  https://tools.cisco.com/bugsearch/bug/CSCum52148

Cisco Unified Communications Manager: solution CSCum76937.
The solution CSCum76937 is available:
  https://tools.cisco.com/bugsearch/bug/CSCum76937

Cisco Unified Contact Center Express: solution CSCun84909.
The solution CSCun84909 is available:
  https://tools.cisco.com/bugsearch/bug/CSCun84909

Cisco Unified MeetingPlace: solution CSCur38341.
The solution CSCur38341 is available:
  https://tools.cisco.com/bugsearch/bug/CSCur38341

FreeBSD: patch for ntpd.
A patch is available:
   http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch

HP-UX: workaround for NTP.
A workaround is indicated in the information source.

Junos: fixed versions for NTP.
Fixed versions are indicated in information sources.

NetBSD: solution for ntpd.
The solution is indicated in information sources.

openSUSE: new ntp packages.
New packages are available:
  openSUSE 11.4: ntp 4.2.6p3-6.24.1
  openSUSE 12.3: ntp 4.2.6p5-9.6.1
  openSUSE 13.1: ntp 4.2.6p5-15.5.1

puppetlabs-ntp: version 4.1.1.
The version 4.1.1 is fixed:
  https://forge.puppetlabs.com/puppetlabs/ntp

Slackware: new ntp packages.
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.6p5-i486-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.6p5-x86_64-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.6p5-i486-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.6p5-x86_64-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.6p5-i486-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.6p5-x86_64-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.6p5-i486-3_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.6p5-x86_64-3_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.6p5-i486-5_slack14.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.6p5-x86_64-5_slack14.1.txz

Solaris 11: version 11.1.13.6.0.
The version 11.1.13.6.0 is fixed:
  https://support.oracle.com/rs?type=doc&id=1601089.1

Solaris: patch for NTP.
A patch is available:
  SPARC: 143725-02
  X86: 143726-02
A workaround is to use noquery.

VMware ESX 4.0: patch ESX400-201404001.
A patch is available:
  ESX400-201404001.zip
  http://kb.vmware.com/kb/2068798

VMware ESX 4.1: patch ESX410-201404001.
A patch is available:
  ESX410-201404001.zip
  http://kb.vmware.com/kb/2072476

VMware ESXi 4.0: patch ESXi400-201404001.
A patch is available:
  ESXi400-201404001.zip
  http://kb.vmware.com/kb/2068805

VMware ESXi 4.1: patch ESXi410-201404001.
A patch is available:
  ESXi410-201404001.zip
  http://kb.vmware.com/kb/2072477

VMware ESXi 5.1: patch ESXi510-201404001.
A patch is available:
  ESXi510-201404001.zip
  http://kb.vmware.com/kb/2070666

VMware ESXi: version 5.5 Update 1.
The version 5.5 Update 1 is fixed:
  http://kb.vmware.com/kb/2065826

VMware vCenter Server Appliance: version 5.1 Update 3.
The version 5.1 Update 3 is fixed.

VMware vCenter Server Appliance: version 5.5 Update 1.
The version 5.5 Update 1 is fixed.
Full Vigil@nce bulletin... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides cybersecurity bulletins. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.