Network Time Protocol Daemon (ntpd) 'monlist' DoS

medium Nessus Network Monitor Plugin ID 700174

Synopsis

The remote network time server can be affected by a denial of service vulnerability.

Description

The version of ntpd running on the remote host is vulnerable to a DoS attack if the 'monlist' command is enabled. The 'monlist' command returns a list of recent hosts that have connected to the service. However, it is affected by a denial of service vulnerability in ntp_request.c that allows an unauthenticated, remote attacker to saturate network traffic to a specific IP address by using forged REQ_MON_GETLIST or REQ_MON_GETLIST_1 requests. Furthermore, an attacker can exploit this issue to conduct reconnaissance or distributed denial of service (DDoS) attacks.

Solution

If using NTP from the Network Time Protocol Project, upgrade to NTP version 4.2.7-p26 or later. Alternatively, add 'disable monitor' to the ntp.conf configuration file and restart the service. Otherwise, limit access to the affected service to trusted hosts, or contact the vendor for a fix.

See Also

https://isc.sans.edu/diary/NTP+reflection+attack/17300

http://bugs.ntp.org/show_bug.cgi?id=1532

http://www.nessus.org/u?d6217ebf

Plugin Details

Severity: Medium

ID: 700174

Family: Generic

Published: 8/18/2017

Updated: 3/6/2019

Nessus ID: 71783

Risk Information

VPR

Risk Factor: Medium

Score: 5.1

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:X

Vulnerability Information

CPE: cpe:/a:ntp:ntp

Patch Publication Date: 1/2/2014

Vulnerability Publication Date: 1/2/2014

Reference Information

CVE: CVE-2013-5211