As I type this, my NTPD server is under a DoS attack from a botnet, using a vulnerability known since late 2013. The ports tree urgently needs to be upgraded to NTP 4.2.7.p26; it currently has 4.2.6p2, which is vulnerable. I have since firewalled inbound ntp/udp, as I am not peering. More information at http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using Please address. Thanks. -- Dave
Thanks for your report Dave. The net/ntp port is currently marked FORBIDDEN, with a reference to the CVE (CVE-2013-5211) you referenced. The net/ntp-devel port has version 4.2.7p470 which is not vulnerable. I'm not sure if you knew this or not. Until such time as the net/ntp port is updated, I would recommend upgrading (replacing) net/ntp with net/ntp-devel. Assigning to maintainer.
Agreed. Our upline will not update their stable branch of ntpd (http://www.ntp.org/downloads.html) and have stated that the development branch should be used instead. The workaround, discussed in https://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc, is to add the following to your ntp.conf: restrict -4 default nomodify nopeer noquery notrap restrict -6 default nomodify nopeer noquery notrap restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0 The ntp port is marked FORBIDDEN and ntp-devel should be used until our upline releases ntp GA. The -devel port is updated from weekly to daily depending on upline release. Maintaining two ports with -devel code is unreasonable.
Cy, Perhaps we can improve the UX by improving the FORBIDDEN message. How does something like the following sound: FORBIDDEN= CVE-2013-5211 - Please use net/ntp-devel, pending upstream stable branch update Also, the "#" string in the current forbidden message is parsed as a commentand the rest of the value is truncated Intentional?
I'll commit that. The # was an oversight.
A commit references this bug: Author: cy Date: Sat Sep 6 16:22:17 UTC 2014 New revision: 367448 URL: http://svnweb.freebsd.org/changeset/ports/367448 Log: Update FORBIDDEN message. PR: 193303 Submitted by: koobs Changes: head/net/ntp/Makefile