193303 – [SECURITY]: net/ntp: Current port version (4.2.6p5_3) is vulnerable. Requesting update (or merge from net/ntp-devel)

Bug 193303 - [SECURITY]: net/ntp: Current port version (4.2.6p5_3) is vulnerable. Requesting update (or merge from net/ntp-devel)

Summary: [SECURITY]: net/ntp: Current port version (4.2.6p5_3) is vulnerable. Requesti...

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Many People
Assignee:	Cy Schubert

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-09-04 04:26 UTC by dave
Modified:	2014-09-06 16:22 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description dave 2014-09-04 04:26:17 UTC

As I type this, my NTPD server is under a DoS attack from a botnet, using a vulnerability known since late 2013.  The ports tree urgently needs to be upgraded to NTP 4.2.7.p26; it currently has 4.2.6p2, which is vulnerable.

I have since firewalled inbound ntp/udp, as I am not peering.

More information at http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using

Please address.  Thanks.

-- Dave

Comment 1 Kubilay Kocak freebsd_committer

2014-09-04 05:27:18 UTC

Thanks for your report Dave.

The net/ntp port is currently marked FORBIDDEN, with a reference to the CVE (CVE-2013-5211) you referenced.

The net/ntp-devel port has version 4.2.7p470 which is not vulnerable. I'm not sure if you knew this or not.

Until such time as the net/ntp port is updated, I would recommend upgrading (replacing) net/ntp with net/ntp-devel.

Assigning to maintainer.

Comment 2 Cy Schubert freebsd_committer

2014-09-04 20:09:50 UTC

Agreed. Our upline will not update their stable branch of ntpd (http://www.ntp.org/downloads.html) and have stated that the development branch should be used instead. The workaround, discussed in https://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc, is to add the following to your ntp.conf:

restrict -4 default nomodify nopeer noquery notrap
restrict -6 default nomodify nopeer noquery notrap
restrict 127.0.0.1
restrict -6 ::1
restrict 127.127.1.0

The ntp port is marked FORBIDDEN and ntp-devel should be used until our upline releases ntp GA. The -devel port is updated from weekly to daily depending on upline release. Maintaining two ports with -devel code is unreasonable.

Comment 3 Kubilay Kocak freebsd_committer

2014-09-06 05:50:41 UTC

Cy,

Perhaps we can improve the UX by improving the FORBIDDEN message. How does something like the following sound:

FORBIDDEN= CVE-2013-5211 - Please use net/ntp-devel, pending upstream stable branch update

Also, the "#" string in the current forbidden message is parsed as a commentand the rest of the value is truncated Intentional?

Comment 4 Cy Schubert freebsd_committer

2014-09-06 16:22:02 UTC

I'll commit that. The # was an oversight.

Comment 5 commit-hook freebsd_committer

2014-09-06 16:22:52 UTC

A commit references this bug:

Author: cy
Date: Sat Sep  6 16:22:17 UTC 2014
New revision: 367448
URL: http://svnweb.freebsd.org/changeset/ports/367448

Log:
  Update FORBIDDEN message.

  PR:		193303
  Submitted by:	koobs

Changes:
  head/net/ntp/Makefile