中危 NTP Project ntpd 4.2.6 monlist Functionality ntp_request.c query 拒绝服务漏洞

CVE编号

CVE-2013-5211

利用情况

EXP 已公开

补丁情况

官方补丁

披露时间

2014-01-03

漏洞描述

NTP是用来使计算机时间同步化的一种协议。 NTP中NTPD中的monlist(ntp_request.c)功能存在安全漏洞，允许远程攻击者利用漏洞伪造REQ_MON_GETLIST或REQ_MON_GETLIST_1请求来放大流量，对目标系统进行拒绝服务攻击。

解决建议

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ntp-dev-4.2.7p26.tar.gz

参考链接
http://aix.software.ibm.com/aix/efixes/security/ntp_advisory.asc
http://bugs.ntp.org/show_bug.cgi?id=1532
http://ics-cert.us-cert.gov/advisories/ICSA-14-051-04
http://lists.ntp.org/pipermail/pool/2011-December/005616.html
http://lists.opensuse.org/opensuse-updates/2014-09/msg00031.html
http://marc.info/?l=bugtraq&m=138971294629419&w=2
http://marc.info/?l=bugtraq&m=144182594518755&w=2
http://openwall.com/lists/oss-security/2013/12/30/6
http://openwall.com/lists/oss-security/2013/12/30/7
http://secunia.com/advisories/59288
http://secunia.com/advisories/59726
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095861
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095892
http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ntp-dev-4.2.7p26.tar.gz
http://www.kb.cert.org/vuls/id/348126
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
http://www.securityfocus.com/bid/64692
http://www.securitytracker.com/id/1030433
http://www.us-cert.gov/ncas/alerts/TA14-013A
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n...
https://puppet.com/security/cve/puppetlabs-ntp-nov-2015-advisory

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	应用	ntp	ntp	4.2.7	-
	运行在以下环境
	系统	amazon_2	ntp	*		Up to (excluding) 4.2.8p15-3.amzn2.0.4
	运行在以下环境
	系统	amazon_AMI	ntp	*		Up to (excluding) 4.2.8p11-1.37.amzn1
	运行在以下环境
	系统	debian_10	ntp	*		Up to (excluding) 1:4.2.8p3+dfsg-1
	运行在以下环境
	系统	debian_11	ntp	*		Up to (excluding) 1:4.2.8p3+dfsg-1
	运行在以下环境
	系统	opensuse	opensuse	11.4	-
	运行在以下环境
	系统	oracle_6	oraclelinux-release	*		Up to (excluding) 4.2.6p5-10.0.1.el6.1
	运行在以下环境
	系统	oracle_7	oraclelinux-release	*		Up to (excluding) 4.2.6p5-22.0.1.el7_2.2
	运行在以下环境
	系统	suse_12	ntp	*		Up to (excluding) 4.2.6p5-24

阿里云评分 5.1

• 攻击路径 远程
• 攻击复杂度 容易
• 权限要求 无需权限
• 影响范围 有限影响
• EXP成熟度 EXP 已公开
• 补丁情况 官方补丁
• 数据保密性 无影响
• 数据完整性 传输被破坏
• 服务器危害 DoS
• 全网数量 N/A

CWE-ID	漏洞类型
CWE-20	输入验证不恰当

Exp相关链接

• https://github.com/dani87/ntpscanner
• https://github.com/sepehrdaddev/ntpdos
• https://github.com/suedadam/ntpscanner
• https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/ntp/ntp_monlist.rb
• https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb
• https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb
• https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/ntp/ntp_readvar.rb
• https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb
• https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb
• https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb
• https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/portmap/portmap_amp.rb
• https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/udp/udp_amplification.rb
• https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/upnp/ssdp_amp.rb
• https://www.exploit-db.com/exploits/33073

- avd.aliyun.com