Network Time Protocol Daemon (ntpd) 'monlist' DoS
Medium Nessus Network Monitor Plugin ID 700174
SynopsisThe remote network time server can be affected by a denial of service vulnerability.
DescriptionThe version of ntpd running on the remote host is vulnerable to a DoS attack if the 'monlist' command is enabled. The 'monlist' command returns a list of recent hosts that have connected to the service. However, it is affected by a denial of service vulnerability in ntp_request.c that allows an unauthenticated, remote attacker to saturate network traffic to a specific IP address by using forged REQ_MON_GETLIST or REQ_MON_GETLIST_1 requests. Furthermore, an attacker can exploit this issue to conduct reconnaissance or distributed denial of service (DDoS) attacks.
SolutionIf using NTP from the Network Time Protocol Project, upgrade to NTP version 4.2.7-p26 or later. Alternatively, add 'disable monitor' to the ntp.conf configuration file and restart the service. Otherwise, limit access to the affected service to trusted hosts, or contact the vendor for a fix.